Overview

overview

10

Static

static

MgBMOjoQWC_hwstub.js

windows7_x64

10

MgBMOjoQWC_hwstub.js

windows10-2004_x64

10

bJHtVihBXX...ver.js

windows7_x64

10

bJHtVihBXX...ver.js

windows10-2004_x64

10

sYCuOOjDOl_vjstub.js

windows7_x64

10

sYCuOOjDOl_vjstub.js

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sYCuOOjDOl_vjstub.js

  • Size

    29KB

  • MD5

    dac9ed798f79a40ef59756c710f61593

  • SHA1

    199bfa38a09181e9396cef4d3b29b0762c5ba987

  • SHA256

    94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160

  • SHA512

    ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 15 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\sYCuOOjDOl_vjstub.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\egqENcOXOr.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\egqENcOXOr.js
    Filesize

    10KB

    MD5

    dffdb0fc6b534c658575b72bfd4826ae

    SHA1

    d6cc3039c628b6d9e8a137933fa953e785a9ef0b

    SHA256

    7e4297ebdde73b716fafb213529d79007e6825b786a471ca7e5a52024fddb939

    SHA512

    c9f4be68cc09ad027a65745233363940ed7ee7b82ecf919096336ddfec90932ad707ec30089e40f8e2918df2b14f400c96d3d854c0d89ae56897e06e849637ae

    Download Submit
  • memory/1772-130-0x0000000000000000-mapping.dmp
    Download