Overview

overview

10

Static

static

d0bbf57aae...b2.iso

windows7_x64

3

d0bbf57aae...b2.iso

windows10_x64

3

image006.png.js

windows7_x64

10

image006.png.js

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    04-01-2022 04:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image006.png.js

  • Size

    209KB

  • MD5

    e6860fcf7fd568970643d88ddc7d87cd

  • SHA1

    fef07c35b5cb90b850f920b222b7cf005c03b199

  • SHA256

    bae95e206861f753435369c3ca6b6c4bc655bd8a6f461c150785b1899766d55b

  • SHA512

    85d9eb5e92a593de8c170a92f1d7d67fdb5ca4bc57b0a865a4a81d626873ae316514293eb77730b0d1a11136c4696adb413f5c071a227aed9f00e048a9b18f8b

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://spdxx.ddns.net:5050

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 20 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\image006.png.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\beVSdOTIld.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1060
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\image006.png.js
      2⤵
      • Creates scheduled task(s)
      PID:1840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\beVSdOTIld.js
    MD5

    5a6b6b58ecb6d0c0aac457c6bbbe1b8c

    SHA1

    f84d217b7404cde7be72d77baa6a68621418d4dd

    SHA256

    bd34475e672c363420200ca5f8b2c477496bb42d2d1901a8a95c406f05f489de

    SHA512

    3757be1d0034de1ad63b079a5db0a7918f140a01aaca3748fe51fbd27818171894fde74f117e597afeda7a42b448d6f4642f5bb1716aea6efa95cda57a36dc6c

    Download Submit

  • memory/1060-115-0x0000000000000000-mapping.dmp

    Download

  • memory/1840-117-0x0000000000000000-mapping.dmp

    Download