Overview

overview

10

Static

static

AWB-14062022.js

windows7_x64

10

AWB-14062022.js

windows10-2004_x64

10

Analysis

  • max time kernel
    197s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB-14062022.js

  • Size

    47KB

  • MD5

    db27256d436350714fb51710dc897335

  • SHA1

    ce68eda62d41b82fe24b0a2afa75204c401f33d4

  • SHA256

    d5dde5256817dcaa65fa26a9a34283989c61aa3b675f3e9e3f87ad48045a47ff

  • SHA512

    88ffd93ccd02a1505e7bf792500d48ea6f6784921edb7006fc85f90af3c6903088d210af1c4fb6c1f2c8f112dc1f5cc578ef17e0585588a196738de33fe288bf

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 18 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB-14062022.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\IbabFGXugh.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4592
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\coco.vbs
    Filesize

    13KB

    MD5

    c654a6599cf8a2a114c82cf39890527e

    SHA1

    0fdd2f5ac577d5491cdad11e9ab9682eb29f2e3b

    SHA256

    cc7f0bb9d21b137fd799468d7e6823881134b5c18a2d48a24a69c5af3286bdcc

    SHA512

    dc954af78c3e4daaa53ee81cbab5b6831e95b6fa80e7fff56febf884389da5feb473207b0121a81d704755039ed3b8d3870f07620e5fc58161df1c82210bf357

    Download Submit
  • C:\Users\Admin\AppData\Roaming\IbabFGXugh.js
    Filesize

    9KB

    MD5

    a7ef36ca4a8acfd3cb53d47a03d038b6

    SHA1

    c927276040e11629198ad9417382c38472726cf2

    SHA256

    82495325de3618c6ccb18a342e852ea876e5e9deba2d8d0739807f7c2f882112

    SHA512

    1594a78af5df8ba4ece0e540859095f1a005a7d419b32c37ddb95a5d1b946dccfb6e00f76eee9dccf88bd7f7c86436cb2b619c579d14655e847679535fd7f027

    Download Submit
  • memory/4592-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4628-131-0x0000000000000000-mapping.dmp
    Download