Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    18/01/2022, 11:27

General

  • Target

    New Price List For DStv&GOtv.pdf.jar

  • Size

    189KB

  • MD5

    b1d6eafab8240680ef96194944ce3801

  • SHA1

    a9b312e682e43b28d28faf6b66c903ba12dfecf5

  • SHA256

    85daaa8ff4820b98c0d1471ed68ab675f2fea97f4d6f6f48a951b4344b9c2b38

  • SHA512

    af2daaccce5c601f4dae45ea51113eb85cb86b055dbba22bfaf131200c5ecf4f29ff66c42ae7bb1d9d6fd893cb715f1c77734f211f296ef91f98c5fa0ac37cf2

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\New Price List For DStv&GOtv.pdf.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\_output.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:764
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mvfvhnkswy.txt"
        3⤵
        • Drops file in Program Files directory
        PID:1432
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1672

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1432-138-0x00000000012E0000-0x00000000012E1000-memory.dmp

          Filesize

          4KB

        • memory/1432-142-0x0000000002E10000-0x0000000011F10000-memory.dmp

          Filesize

          241.0MB

        • memory/2520-131-0x0000000002D40000-0x0000000011E40000-memory.dmp

          Filesize

          241.0MB

        • memory/2520-132-0x0000000000D20000-0x0000000000D21000-memory.dmp

          Filesize

          4KB