Overview

overview

10

Static

static

New-Order.js

windows7_x64

10

New-Order.js

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New-Order.js

  • Size

    90KB

  • MD5

    887c83e306335e36f6e81cdd30f527e2

  • SHA1

    3ec7601bb106ba9bb4639e75b9466adaf52e5607

  • SHA256

    365fb34e5d2f5f4a143599765d0ac0f34dc1b6cddf857c6cf8f87f17d7408f1b

  • SHA512

    3dddd2b196538e2c684435e7f451b236c21b4e042716d4dc6cc791b64d77fd7395b11a4f45a69203e31f95b6f5e32bd86d8e533b66b2eed86e12e89b4907a814

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 38 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\New-Order.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cvvsJzsPhE.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1356
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\kay.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kay.vbs
    Filesize

    13KB

    MD5

    176af413683987deea53dbad395c8027

    SHA1

    f3b812fb7332428198a741ab6dd87512de3d90b7

    SHA256

    54c8679f246a73a270a028047bd7a6e99ef4b8ca4c1fedaa3ef8f721c374ae8b

    SHA512

    99afe74936a00618b1380c7ee0a64c31adf8948286576c0c14f6c63d00ca9160d66c95b5a2fe99855d6bbf03412180e0f01e9e817caa24f74449dad513808dd9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\cvvsJzsPhE.js
    Filesize

    24KB

    MD5

    169755648aaba2c23fb1b231a712c8a1

    SHA1

    31cfa09f2acd9b2df004f6934ffcd5bc8919d5b6

    SHA256

    9610c1b7745f4e5ba3f0034cf634ee5b00ea01a9dcaecc23853ed064296d1eda

    SHA512

    08c4aa0a41c50673ceeaf7f47b6c0615421e275907551841d229818d6d40d3a15eab2be21da602036ad34ebd8a7adec968fb41c0cd2fe5c5dfe5e7b9f4330c11

    Download Submit
  • memory/1356-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4496-131-0x0000000000000000-mapping.dmp
    Download