Overview

overview

10

Static

static

Shipping D...643.js

windows7_x64

10

Shipping D...643.js

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 09:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Documents AWB#5305323204643.js

  • Size

    429KB

  • MD5

    f992d6aac0c0d0ea532d8128827c1492

  • SHA1

    135f458e0f462fcd95a420af6e34169a0e66a3b7

  • SHA256

    19c2b2552b72e578804e41f698eb760655ec2826fc42fe365eb1bd5b7e1ce38b

  • SHA512

    eb59741e2f70d5aa019166ed940a92701526d7549f95ddb0ecfe656db55177d3c65dd6205a47c8b72aac3222f901d5f36a06567631cebf5eb8d44a48add46867

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Shipping Documents AWB#5305323204643.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TplQiMdZSw.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2376
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"
      2⤵
      • Drops file in Program Files directory
      PID:4796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SM.jar
    Filesize

    164KB

    MD5

    edf0e95033cb0df96be06c5088142288

    SHA1

    3972af92633203e7857ec0e4ae65246b32c83539

    SHA256

    9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

    SHA512

    b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TplQiMdZSw.js
    Filesize

    49KB

    MD5

    bdc987e24f3756203aba0bdad8f3f455

    SHA1

    f45575f65715623d255b8c3f403306ab8598b874

    SHA256

    deb124489dadb59b3c7a6afd7a6f774538935fb0968b04dd8ca6de104d2cc19b

    SHA512

    32ae2c2794ff4a5d662f013f946f1ef5ce0b489c171ed5991468ef82d011de952b78bb23a9428e3c2b96f140e1ece9cc81e308da698698b8dc18041bbd0a1805

    Download Submit

  • memory/2376-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4796-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4796-141-0x0000000002E70000-0x0000000003E70000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4796-163-0x0000000002E70000-0x0000000003E70000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4796-164-0x0000000002E70000-0x0000000003E70000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4796-165-0x0000000002E70000-0x0000000003E70000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4796-166-0x0000000002E70000-0x0000000003E70000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4796-167-0x0000000002E70000-0x0000000003E70000-memory.dmp

    Filesize

    16.0MB

    Download