adwind | 0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0

General

Target

jyahaoabcs.js
Size

953KB
MD5

b0858d86fb22aa01d7ad40ef5ab0b069
SHA1

6c6c7a2f34149a8702d2ae401294291d38c064a0
SHA256

0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0
SHA512

980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6

Score

10^/10

adwind vjw0rm persistence trojan worm

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

2040 javaw.exe

pid	process
2040	javaw.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.exejavaw.execmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 1272	1120	wscript.exe	WScript.exe
PID 1120 wrote to memory of 1272	1120	wscript.exe	WScript.exe
PID 1120 wrote to memory of 1272	1120	wscript.exe	WScript.exe
PID 1120 wrote to memory of 2040	1120	wscript.exe	javaw.exe
PID 1120 wrote to memory of 2040	1120	wscript.exe	javaw.exe
PID 1120 wrote to memory of 2040	1120	wscript.exe	javaw.exe
PID 2040 wrote to memory of 852	2040	javaw.exe	java.exe
PID 2040 wrote to memory of 852	2040	javaw.exe	java.exe
PID 2040 wrote to memory of 852	2040	javaw.exe	java.exe
PID 2040 wrote to memory of 872	2040	javaw.exe	cmd.exe
PID 2040 wrote to memory of 872	2040	javaw.exe	cmd.exe
PID 2040 wrote to memory of 872	2040	javaw.exe	cmd.exe
PID 872 wrote to memory of 1080	872	cmd.exe	cscript.exe
PID 872 wrote to memory of 1080	872	cmd.exe	cscript.exe
PID 872 wrote to memory of 1080	872	cmd.exe	cscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jyahaoabcs.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"
2⤵
- Drops startup file
- Adds Run key to start application
PID:1272

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\sfdyftrokx.txt"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.78788133516512461187632103980904729.class
3⤵
PID:852

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5280658648225861446.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5280658648225861446.vbs
4⤵
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.78788133516512461187632103980904729.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\sfdyftrokx.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js
Filesize
24KB

MD5
9cb94db4ae02bd253f2a41995076f5d2

SHA1
51ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1

SHA256
16288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec

SHA512
f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161

Download Submit
memory/852-85-0x00000000023B0000-0x00000000053B0000-memory.dmp

Filesize
48.0MB

Download
memory/852-70-0x0000000000000000-mapping.dmp

Download
memory/852-83-0x00000000023B0000-0x00000000053B0000-memory.dmp

Filesize
48.0MB

Download
memory/872-87-0x0000000000000000-mapping.dmp

Download
memory/1080-88-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1272-55-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download
memory/2040-84-0x0000000002320000-0x0000000005320000-memory.dmp

Filesize
48.0MB

Download
memory/2040-79-0x0000000002320000-0x0000000005320000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads