Overview

overview

10

Static

static

NEW-PO.js

windows7_x64

10

NEW-PO.js

windows10_x64

10

Analysis

  • max time kernel
    519s
  • max time network
    536s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    13-06-2022 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW-PO.js

  • Size

    100KB

  • MD5

    485e3fa1027dc300cbcf48fea637dd57

  • SHA1

    589ff4d6aae5af14bc251db32ec6e239f63dcdc5

  • SHA256

    9446c38b335edc7d0dbfa754ad0a8f1a41de185f83722b43816b739c3ceb74f4

  • SHA512

    257b334e96bc4dc1fcd184e5d77f97bec8fffec3f76b4b8038c9f8b148a4e400dcfe2c7907720863cd3dc160ef048db3ef224646db5b27b3b4f98113c067e888

Score
10/10
vjw0rmpersistencesuricatatrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://franmhort.duia.ro:8152

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata
  • Blocklisted process makes network request 64 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW-PO.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\hworm.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4644
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gQZvgHUtLG.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hworm.vbs
    Filesize

    13KB

    MD5

    4b685bd75281e7d4fd5d5c6ea517f7b4

    SHA1

    737c0d37815c7c22b036c1edba100a95a67ae671

    SHA256

    185182f369edcb96118a91dcad39eb5b63239112ed6963a8c274178bf1b55394

    SHA512

    dec575589bc3fb8ba72fd7e7d83f20baad4d3fef7da54fe9203444c0c4a8ac39f1608c11a1427071b8af9554067bdd24810beeca8d924b6df871bfd9d1687487

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gQZvgHUtLG.js
    Filesize

    27KB

    MD5

    d0180262c99e4a8b9bcae252950d3b53

    SHA1

    6039d0a418ea7afdb2d64c7621107510459d970a

    SHA256

    3fcc843e8735f172c8746f473f042cc7bf796cad0b25f4d2e210251e206f9b43

    SHA512

    fbe38862a7cefd617033f65ea91b889b49245e9643ba35ebd4123f31e1236dc0f3cea0aca8e828534e48c62554de0f69b8a1733bfceb3c411f93f96ad2f59581

    Download Submit
  • memory/2372-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4644-118-0x0000000000000000-mapping.dmp
    Download