Overview

overview

10

Static

static

PO docs.js

windows7_x64

10

PO docs.js

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO docs.js

  • Size

    167KB

  • MD5

    ce75410067a95c5ceccf08f7487cf247

  • SHA1

    e38edaf16c0b2e994fc65e5228912428c6fdffa3

  • SHA256

    f356566e43a72607bcb73734f5c3dd4b03117f42a03e0534b327e2fb4b3d7132

  • SHA512

    719977b1962ea8799e3cdb1b933efa6547dcc1a215ec97a544f522e903e6904df2e688463799dbf70ae89fb9a6ee485ab09b40fed342824c530513f34000b95c

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://45.138.16.233:1985

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO docs.js"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aBjrxgvXiK.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\aBjrxgvXiK.js
    Filesize

    59KB

    MD5

    e3091e4a999ec41da7d4d2ebadb7c8ef

    SHA1

    aecd036bbce0311cccdf65b0dea0400b772f1fa8

    SHA256

    dd87b61a5fba9e7e4af3fb26b117c7d7d2b5915f6e4e8d5b77b2b3eda23cc7da

    SHA512

    32628e545c43f6f8c9258ee17f4551732cddb8fa599fa510a849cce2f74abf5d89eeadd4b3db669d8786d23aeb44c82e773fafe5b31d8c23a1d845293d01f61e

    Download Submit
  • memory/1060-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp
    Filesize

    8KB

    Download