Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 15:20
General
-
Target
Faktura 22062022105025.js
-
Size
453KB
-
MD5
e0ee6501ff7c833e22e405f0a3add213
-
SHA1
bb2685e7c70428de5848f1b1f53d5b687b9610f8
-
SHA256
5e691b3588f4bcffbe60656a23ee0bb46081c4b7d18d0f600af6508a2dcf7768
-
SHA512
f3c6eae4a7b33e86c167d2fb3cef9437bb3d3f9beee3c105e4693facca06b38e60322f0e285b2b1d9753d42c1450ff9d5302365c3d81e28f6687bf707a49bdf4
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 16 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Faktura 22062022105025.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hHhUMQQaEJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SM.jarFilesize
164KB
MD5edf0e95033cb0df96be06c5088142288
SHA13972af92633203e7857ec0e4ae65246b32c83539
SHA2569712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049
SHA512b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a
-
C:\Users\Admin\AppData\Roaming\hHhUMQQaEJ.jsFilesize
58KB
MD56e19c9be0455699d39ecac41f332827c
SHA1ac1be0bad3bf9c19d5927408809dd7c70ce7ac26
SHA2565bc218e50e5fd2027ff0467989a4972c63a1478eae5ae918728d3b4213df202e
SHA51205ba615f7444271a30da4ffb93faed0b88f4897338ca891df8e834cb79973fdcdd534a8d398757346a7e33de761316d0ae7764abfda3bd9b8170d695aa7ca59d
-
memory/2820-130-0x0000000000000000-mapping.dmp
-
memory/3340-132-0x0000000000000000-mapping.dmp
-
memory/3340-138-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-151-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-154-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-155-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-159-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-161-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-162-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-163-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB