Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    10-09-2021 05:02

General

  • Target

    c190431d_hyUa2Op4cf.js

  • Size

    207KB

  • MD5

    c190431d51eed488359ebc98cbb2e900

  • SHA1

    eaa9bbf31cc5c32bc03cd146a3869a2b4abd29ee

  • SHA256

    cdf6af99c438ee1c8b18425afd23f07d30c745b89d4a3fdd6220c463a16844c0

  • SHA512

    540dab7e3443704b5ad54a5c8dbed684c44ab48d4feac6f5f6f372b847c1367e8808ece7b7a7af01bb178a8b88d42e86cd94dfea220043baf78f54542d90085e

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\c190431d_hyUa2Op4cf.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:316
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nqxwgxwnok.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1172 -s 140
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js

    MD5

    4572042fa026d488a4671b852b94a692

    SHA1

    3d0f401c799896d9fc04ffc78db5ef31e2384fae

    SHA256

    7f019f498b724ed99ace9c57eaff75f1280a1298b6f4d95c03bf2d74994126fe

    SHA512

    16addb60f8b2dff6223a713bdaf4b9f39a09d7046c2b967ccb38c650e1d90022c993a0aa12371b7f248fe7f7093a48a2c17cedf85fa50b87756e73bb5ae61cdd

  • C:\Users\Admin\AppData\Roaming\nqxwgxwnok.txt

    MD5

    a4ac8b8642e628e577d1048ca97cc204

    SHA1

    982102027bf878e74faf9a2b32a6f4ba218d04fd

    SHA256

    af78d72f8eade441cadc93ce4b51766604cde43267d5b610da63503823f8793b

    SHA512

    58f8f47ce6b3a1a367bea63cb8c4aa8c3bc9813d85482bd8fa946b33161829fb17dc5d1cc5b341c639ec464ca7c7bba849f7b4cb37950af9864d3954da7566f5

  • memory/316-54-0x0000000000000000-mapping.dmp

  • memory/1172-56-0x0000000000000000-mapping.dmp

  • memory/1564-59-0x0000000000000000-mapping.dmp

  • memory/1564-61-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

    Filesize

    4KB

  • memory/1640-53-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

    Filesize

    8KB