Overview

overview

10

Static

static

eVoucher.js

windows7_x64

10

eVoucher.js

windows10-2004_x64

10

Analysis

  • max time kernel
    4294210s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    24-02-2022 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eVoucher.js

  • Size

    20KB

  • MD5

    b2be3dbbf5e20713b203a95b9dca8ee6

  • SHA1

    fa11acd273295bbfaf6db67acb1cc7fd0934d825

  • SHA256

    f2a1e7f1d81a1500da4245641082c12649e4bb8136d7883c2f211ba327ffcac2

  • SHA512

    b03a23d4020904b4b72005c9513e2f77a4f4925754532e3b417d26e85deb68460f8671b49180527a9f719afecd6ebaabfb17ccaa6552ee75bc5d545b5d0788dc

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://warrr.duckdns.org:9997

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 19 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ssoLSQXptF.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1656
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\eVoucher.js
      2⤵
      • Creates scheduled task(s)
      PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ssoLSQXptF.js
    MD5

    e983a6182dfbb9a79b2bf3e3b9c589a4

    SHA1

    f24cb83586d88963bece54a2d18c1994880e0377

    SHA256

    bf43679c00fd876f84e1f836b2bb753fe8e1cd08b0d573e429cecd26d09e1fd5

    SHA512

    5d0a8db73393378706ee9e955c1e04fc6bb0c71a113514e158df5c5d5a1f7d0e2d04a4d3017bc56ea0ddc1b302f04313cbcf4dd043628abc8acaf9bbf30ef120

    Download Submit