Overview

overview

10

Static

static

receipt.js

windows7_x64

10

receipt.js

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    13-03-2022 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    receipt.js

  • Size

    66KB

  • MD5

    6f3064d19d9af3374af22dd40df47850

  • SHA1

    9a663a6b13430cc5018a23b348850ff76644f5fb

  • SHA256

    779d2a6161c86c42ce9ed2888117b72a6778f050153654a0d9c0aa1e3ec3cfdc

  • SHA512

    f8ba075afddbb3f3f7f64af145cbd9e70c02710689c70d47959f3e9ca38593bc29a6c28896ffb19621802a09981ebf31a96630d9cff115c91e25335f18e21f85

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9001

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 17 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GHCfqroCHm.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\GHCfqroCHm.js
    MD5

    eaa8511b7082f30b4a6e46702014f014

    SHA1

    dbc2dfad64e5f7b00492743f706fddeed984fd9b

    SHA256

    545360cb2972730fa0cdcd01b56deab97cdbe4a113b626962ab20877c79586d2

    SHA512

    17cf9357656987f5c9595c8157cad0b864a836a2cf910bdaf67f1468838fff42fedde1cfe419487d177f9ef472d88a72378300230d6b2deb2cb56a6bc9d7c9f2

    Download Submit