Overview

overview

10

Static

static

Voucher_4093.js

windows7_x64

10

Voucher_4093.js

windows10-2004_x64

10

Analysis

  • max time kernel
    183s
  • max time network
    219s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-02-2022 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Voucher_4093.js

  • Size

    9KB

  • MD5

    5232adca452765d2f6f4d552afdc6230

  • SHA1

    f6e0fe80b48f1a5022a864552be66acf42e91091

  • SHA256

    87ac3e5dc3d4a3bf8aba37d4c994d2574187cb21118182d7b25ac167ec421d33

  • SHA512

    bc8c478e5a86733d0101a6a87bf7b1acb870f31dc0df0ef5909a069aa3833b4d6fd124b146b4658686e2a0b932071ea55120147e2736c2a85729a7ac5ee18034

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Voucher_4093.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Voucher_4093.js
      2⤵
      • Creates scheduled task(s)
      PID:1764
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3396
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3396-142-0x0000018FECC30000-0x0000018FECC34000-memory.dmp
    Filesize

    16KB

    Download