Overview

overview

10

Static

static

Documents.js

windows7_x64

10

Documents.js

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-06-2022 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.js

  • Size

    156KB

  • MD5

    6fef27b2d092e699fe963ced538647d7

  • SHA1

    92f5af7e88153a1cb884a23644366a139ff0941e

  • SHA256

    dc53423d89187d301bdadfcab2eadaea50860e6262fa5f3684aec110b1d6c660

  • SHA512

    022d4d61547b63eff7c6c9400bc965c5f1999475c6a508f6bcbc3aaefb489a55609edabdec243285b904094e9c7ab4d9026dec6897b4bb3268549ce258fa14e2

Score
10/10
vjw0rmpersistencesuricatatrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata
  • Blocklisted process makes network request 44 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Documents.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xToCTRaPXT.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:836
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\myhwormbin.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4404

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\myhwormbin.vbs
    Filesize

    13KB

    MD5

    a8d63ee7c2363269a170a93ec66bcabd

    SHA1

    d3f10e8119c1e4b481bfcdf47ac78cb062658d1c

    SHA256

    5355829d1136942095fb27fd990506c6ae00b47eb2e2979af30562979da8b75f

    SHA512

    f24a609ea53cb3f7c019c1cb197caa8aca2f312bf2e46510ae4b201d4a49797348e1aa8a7b09b4d96f58d6d93ef2e3b136b284b89eb375c1b98b0f929ba17292

    Download Submit

  • C:\Users\Admin\AppData\Roaming\xToCTRaPXT.js
    Filesize

    47KB

    MD5

    8ae914d7354bb9f4959138b0839637ba

    SHA1

    a8a105d4f944f08d2d9ff3286c70f5d822b23ef2

    SHA256

    baf8ccf5bb9e44dd2f406932e50072f639ea0ae95614f26743e6a8b8d14c66ac

    SHA512

    e9efdaf109f9cad3c9715e4f44f96f0a09a2d0a1b8d5fc5a836bd31b609fd49389b3a209347690f794065703f0d3be1ad25dc647640af7515852606f555b71e3

    Download Submit

  • memory/836-130-0x0000000000000000-mapping.dmp

    Download

  • memory/4404-131-0x0000000000000000-mapping.dmp

    Download