Overview

overview

10

Static

static

paymentref...pdf.js

windows7_x64

10

paymentref...pdf.js

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    paymentref062322pdf.js

  • Size

    329KB

  • MD5

    d7ae71a84f14783b8967f0c212c11a40

  • SHA1

    b6e65a134ed9ea8af13f15afecbda176efc670f3

  • SHA256

    fed6e6111eb6ef3d7d229ae1b88e2d641960a649cdf20e644073dd4ddbd1f624

  • SHA512

    5da6b457008fb251da48425a8b3095bcdd5013009f14300b7d8537ed1de2da87060251cdbcaaa1d53e01e95025c50d60a5aabde160d9c8f2fd5b67d2d7946f1c

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://vjmworks.ddns.net:4040

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 17 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\paymentref062322pdf.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dSTlIMurxt.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\dSTlIMurxt.js
    Filesize

    117KB

    MD5

    3ce1dcd3c1fc7cfcbd8eb339a7af50db

    SHA1

    bf3af7454116ad782019224f8a82924dc0424911

    SHA256

    baf6922678c85c6269c3c689dd25dcc1eda5db4857ac870246fe36d1a7315a41

    SHA512

    f64d10cafebf99e589af69b2061506ded48242b5df784131243d52f7fc99025b18e5e07c07bed5f7764e5d2006710d1fbf21ddb79a5ee20c47c53e76e7c7336d

    Download Submit

  • memory/3192-130-0x0000000000000000-mapping.dmp

    Download