Overview

overview

10

Static

static

新命令_...PDF.js

windows7_x64

10

新命令_...PDF.js

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    07-09-2021 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    新命令__________.PDF.js

  • Size

    207KB

  • MD5

    9154158d95df39303de36b475a790529

  • SHA1

    b79ad43d110887b9302bbfca092517a1fb0f43f3

  • SHA256

    ce8e23a1309e4fbe54a48d36c5c68af97df72073acce4a930df3246a34a75f32

  • SHA512

    de36f4d45c7b03f8cb70498bfd7a9285303814eb20a9a7f09a7855db6daacf817e4e6a0f63f6e63dd46b8bff7d4704155daa4fb2e9ca5a4902957dead3ee7a82

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 18 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\新命令__________.PDF.js
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WOChiHyFPM.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3948
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pkbblnve.txt"
      2⤵
        PID:4012
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 4012 -s 356
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2856

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\WOChiHyFPM.js
      MD5

      5f1405a47e8cf0bc0188332a4a791761

      SHA1

      638fe4be43f13d79266be5ee35b7879fdeafc71a

      SHA256

      d9d12a49414db2909da558bed4013e0987fe61140f3c4e17501800ac32d422f7

      SHA512

      d2e722dea389123c24534bc661352a7bf42188b47428bb24f1507db4b68f0d47e49b3f95d8cab3f7d5470aa31f51fa72be5d63a4560e785d04860d2a5bd54313

      Download Submit

    • C:\Users\Admin\AppData\Roaming\pkbblnve.txt
      MD5

      2e458a59025b390fbdf7d3717314b507

      SHA1

      d5a84f501bfa81682ebde5e31a68794140141785

      SHA256

      6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

      SHA512

      2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

      Download Submit

    • memory/3948-114-0x0000000000000000-mapping.dmp

      Download

    • memory/4012-116-0x0000000000000000-mapping.dmp

      Download