Analysis
-
max time kernel
22s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 09:59
General
-
Target
????????? ?? ?????? Ref. No. MS-DGP-220137.js
-
Size
375KB
-
MD5
b34c9083eed5a3f38346fa1bf618745e
-
SHA1
bdd94f1f3509a6507b280d06a240c2df1c5a37e6
-
SHA256
12ca249e9fa5ed956d072ec466416fe50cf35c4c6c481ce19e07a52ef31e1a8a
-
SHA512
347bebc6d34a940423af01ac145c6e78555ba606a80af66973bf9ab9f73f23760fc0e27569ae15df7c5f3e53cc14f8889a00d38860f3255ca0868c8196f6763b
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\_________ __ ______ Ref. No. MS-DGP-220137.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BCSDWooOYA.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"2⤵
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\SM.jar"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SM.jarFilesize
164KB
MD5edf0e95033cb0df96be06c5088142288
SHA13972af92633203e7857ec0e4ae65246b32c83539
SHA2569712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049
SHA512b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a
-
C:\Users\Admin\AppData\Roaming\BCSDWooOYA.jsFilesize
30KB
MD5f95e2fe23993c064a1ebe6ae37151557
SHA156bd821e2fdb2b1f29e87ed82a1f35832501a166
SHA256a0067ec481aa5a688c7f3db9d48a4a6eea6b1b801edb53a6d820133f10201d78
SHA512423de8b117a99f7e23f9423760d7c96b28fcde2bcdca3d4da2b114c1a3b4d2d3b96dae0a643c364d014082d1900ca1657aaaf6814e0a986fcc8f9abb721acd37
-
memory/2788-132-0x0000000000000000-mapping.dmp
-
memory/2788-138-0x00000000025F0000-0x00000000035F0000-memory.dmpFilesize
16.0MB
-
memory/2788-151-0x00000000025F0000-0x00000000035F0000-memory.dmpFilesize
16.0MB
-
memory/2788-153-0x00000000025F0000-0x00000000035F0000-memory.dmpFilesize
16.0MB
-
memory/2788-155-0x00000000025F0000-0x00000000035F0000-memory.dmpFilesize
16.0MB
-
memory/2788-165-0x00000000025F0000-0x00000000035F0000-memory.dmpFilesize
16.0MB
-
memory/2788-173-0x00000000025F0000-0x00000000035F0000-memory.dmpFilesize
16.0MB
-
memory/4452-130-0x0000000000000000-mapping.dmp