Overview

overview

10

Static

static

eVoucher.js

windows7_x64

10

eVoucher.js

windows10-2004_x64

10

Analysis

  • max time kernel
    176s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-07-2022 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eVoucher.js

  • Size

    29KB

  • MD5

    48d9924ce427fdd657487fdf2858f7f9

  • SHA1

    4e6d949dfbc65d7abfae5fe2f4302c556ac0a54f

  • SHA256

    d339b022589120edd727f6c3307e0df5851d4073f4d8f588116cf9f49512df9b

  • SHA512

    d56567298581bbdd414b6d35448d0a69fc884994abf843e030fffb4337cf9122f66f10744cca4ad6745260912569fc5ef1d36d6051952c407397e7602e71a303

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 13 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZIdtxECakT.js"
      2⤵
        PID:1192
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eVoucher.js
        2⤵
        • Creates scheduled task(s)
        PID:792

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\ZIdtxECakT.js
      Filesize

      8KB

      MD5

      1faddc7933cfad79bb1e2721b209054d

      SHA1

      d296650263c2056776a426b2f425efdf947f8091

      SHA256

      30c0bf91205929a0683f72394eb17014b7ada70e5ecb2f5dc33ef6fc3c75b9cb

      SHA512

      08b641e45e34eda6401cb23dfcd0b9ad815a393bdb8bd75ae214062c3edc41ea209b0fc47b0330ac787050efc467cc9157996eae24d4d0898f245c4e972d6e72

      Download Submit
    • memory/792-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1192-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1604-54-0x000007FEFB551000-0x000007FEFB553000-memory.dmp
      Filesize

      8KB

      Download