Overview

overview

10

Static

static

receipt#.js

windows7_x64

10

receipt#.js

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    04-12-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    receipt#.js

  • Size

    22KB

  • MD5

    13fb0284023b235db4c118f0173c272c

  • SHA1

    71bf685ab695101244f4c2aebc4f257911b7e302

  • SHA256

    b2fb92728d4406136e6934be420befd0306ea69b03540e73e0d718a6d09e0f70

  • SHA512

    e8d635e4695f0905331d263f71706a2ce404140de9037f1a9691616e30009c990e1512b1921c5e3e4041aa49743fa8fab10c8588910cc401fc7f12068af0daed

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9998

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 18 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt#.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hgMQjNbTZm.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:664
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\receipt#.js
      2⤵
      • Creates scheduled task(s)
      PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\hgMQjNbTZm.js
    MD5

    d0f1a684002735cf158c3fe44e2c0e94

    SHA1

    56e3369154b815344c30589ada5cbd198beb98fa

    SHA256

    c293fc6c91c5a4a889bb96411d58c7af35d623ab1392f8be4ae44874d15e0073

    SHA512

    fc1a4b3f90ec1e4fe97799cf7f248a4221747b0a226907bb53c8821498a4d0e582252a1f180de3f65e5ee0ec1f831bdc56ae8db02c60e76e71bbb72bb5c9b676

    Download Submit
  • memory/664-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1140-57-0x0000000000000000-mapping.dmp
    Download