Overview

overview

10

Static

static

Custom Cle...643.js

windows7_x64

10

Custom Cle...643.js

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Custom Clearance Doc. AWB#5305323204643.js

  • Size

    616KB

  • MD5

    33d87ba5f5667d83a06e8794e464e6e8

  • SHA1

    b0b8207b5804987067391f6192b8c233dfccbae7

  • SHA256

    1e24a6a3246bd6d1af9c3a90880b4518afe0bbaa40f8f922138e1d3f8a4f02de

  • SHA512

    1ba63984598b1b6400e915dd026bd45e3d12553e7202c6577ca8f0d7f0e6215127ca3a4063a6256f18f956a5ee0f7580d9908084f191f6c8a94cf328fde07e88

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 14 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2832
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"
      2⤵
      • Drops file in Program Files directory
      PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SM.jar
    Filesize

    164KB

    MD5

    edf0e95033cb0df96be06c5088142288

    SHA1

    3972af92633203e7857ec0e4ae65246b32c83539

    SHA256

    9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

    SHA512

    b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.js
    Filesize

    117KB

    MD5

    5ec7e975e42079dacb58ad5e712df35f

    SHA1

    6c963b465c7ddc9081add19f0c99eac3e969f819

    SHA256

    4be6ef286e027bd596340d08cc8640d213cff7fbf93638a2ccee267fa42512b8

    SHA512

    ca38464e394d43a8320baa24163cf3921a66ce3a87a8f4da7d20718ab6248319cb6d08de61509b81061d353da23033412fa9b121c14c2c32df5aa2859a7e13a8

    Download Submit
  • memory/2516-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2516-141-0x00000000029A0000-0x00000000039A0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2516-158-0x00000000029A0000-0x00000000039A0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2516-159-0x00000000029A0000-0x00000000039A0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2516-160-0x00000000029A0000-0x00000000039A0000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2832-130-0x0000000000000000-mapping.dmp
    Download