Overview

overview

10

Static

static

receipt.js

windows7_x64

10

receipt.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    receipt.js

  • Size

    139KB

  • MD5

    553ae64ec92c74a02701ca3881915b7b

  • SHA1

    a6c4676312e2bb96226fbcddbed738b30d15ec1c

  • SHA256

    5f8233b2a9235541fd9e1b526c546c911dd69e9ee5e917c2540e2123748a6eba

  • SHA512

    0a39079d2a4a2a03356396da5339cce8d8754261437ca74212aa71a19ab6726701404462c82c02914ddb5e7c957871b434a647b592d3266415c4eb906ea687a7

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9003

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DiIvjwrRBk.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DiIvjwrRBk.js
    Filesize

    49KB

    MD5

    51a764a1843be91da6398b3db85a4522

    SHA1

    123f9f2bf93092dc01685dcb0efa0967ad451ccd

    SHA256

    ea062b959e8551f2f206bfb67fc8ce1c7f6d2909fa56228f81582ceca136a932

    SHA512

    965314adb06f7dbcd189c76321b5926e9340dee25dadff74356a97fca005ae86429376044b08d65f6916ab9431a0c7ec2754345ce8549efea3c84e6b236be074

    Download Submit
  • memory/112-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp
    Filesize

    8KB

    Download