Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 19:36
Static task
static1
Behavioral task
behavioral1
Sample
g1m3_Payment_receipt.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
g1m3_Payment_receipt.js
-
Size
81KB
-
MD5
227c97971e3a533da777df3558817c33
-
SHA1
20e0339535e0c0ca20830a7929dd85c0648c5c11
-
SHA256
986a95a00339276c26cb9a6ed50fba01e5c40e3cb0201c1c03aae14002a564a2
-
SHA512
a10d0f9d79bb9eefbdc410086d62c9e59b2dd06ec140820c207c8c4b1cde594eccc28a4736d0d3b13b750b269d3ee14ee6c41240ddde917d1af934eba110cce7
Score
10/10
Malware Config
Extracted
Family
vjw0rm
C2
http://6200js.duckdns.org:6200
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 5 368 wscript.exe 7 368 wscript.exe 9 368 wscript.exe 11 368 wscript.exe 13 368 wscript.exe 15 368 wscript.exe 17 368 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g1m3_Payment_receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g1m3_Payment_receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\g1m3_Payment_receipt.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 368 wrote to memory of 1180 368 wscript.exe schtasks.exe PID 368 wrote to memory of 1180 368 wscript.exe schtasks.exe PID 368 wrote to memory of 1180 368 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\g1m3_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\g1m3_Payment_receipt.js2⤵
- Creates scheduled task(s)