Overview

overview

10

Static

static

Quotation.js

windows7_x64

10

Quotation.js

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-03-2022 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.js

  • Size

    1.3MB

  • MD5

    69c06fd94a073383b9435c801ebb62eb

  • SHA1

    0fae62beac98d2806118a831eb0eca04bf351b65

  • SHA256

    925d5dec4f50c6ce6eb8bd56a51cdb123e8639f282292e3ed1b6cdd4f37e504b

  • SHA512

    e24e74c11f78a6c8f27c4ba5279ca5012577a493966f883ab5c2481e88a657ad0f50ff05cef37eebd4e1e888a797d7038398b520577174cc51bd909b54eedd31

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quotation.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\jZWRVkiZOm.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4212
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xzzjliqum.txt"
      2⤵
      • Drops file in Program Files directory
      PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\jZWRVkiZOm.js
    MD5

    400d402ce0dc1bbd5cea36de09b25379

    SHA1

    e6a5f40cbf010f440922612eb469a0a0a2f8e7c7

    SHA256

    48afd1b8a96cf82de1dd7d4533fdabcd66edf957f354902a999f3b23a823958b

    SHA512

    13f0b3cffb22ca53e8a0f8e41d81a808f030b355f05fca37d34e4ba1fd5d54a41ad2e520ba5d0fdf058cc2653e61a31304d2d736de0b838cb735194a320ab595

    Download Submit
  • C:\Users\Admin\AppData\Roaming\xzzjliqum.txt
    MD5

    391907cc91179ada8c93dfb70cf2fa56

    SHA1

    da55acbf6aafe2f376bf4ebd3ff8fbf99cf4966d

    SHA256

    20ad6197b8d0b6b2764f90ef38bace3e230cb2878db9a30778db0e4ef042a039

    SHA512

    931c419c6fff67cc0973eaa67c771aafa573ad5875b1db93ed4ec52e1f20f7e567a0f7c44d916de1d8e77407fe83eb2418fc9c0ba457bd05ef1f742bc4ed0afc

    Download Submit
  • memory/3540-135-0x0000000002C40000-0x0000000002C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3540-139-0x0000000002C40000-0x0000000002C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3540-153-0x0000000003120000-0x0000000012120000-memory.dmp
    Filesize

    240.0MB

    Download
  • memory/3540-162-0x0000000002C40000-0x0000000002C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3540-169-0x0000000003120000-0x0000000012120000-memory.dmp
    Filesize

    240.0MB

    Download
  • memory/3540-170-0x0000000003120000-0x0000000012120000-memory.dmp
    Filesize

    240.0MB

    Download