Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2022, 06:29

General

  • Target

    irNWRQGlUq_ned7070vjw0m.js

  • Size

    13KB

  • MD5

    debf7829f2c506abd5871f323a289062

  • SHA1

    737e77bdcce38f483e78af1268c2b648b9fab469

  • SHA256

    bcb25042af4894ddf1c1cd08f5c7a8a0f1c926e9122169b441e5182ca6424330

  • SHA512

    1e77b80c64ad0a555eb3bb0d655e897a00469b1eb238cff2bacd4fa6922a39fda32020b6c19d155f7244de01d8793bc9f6167e158465d3388010e721e93e6e64

Malware Config

Extracted

Family

vjw0rm

C2

http://185.157.162.75:7070

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\irNWRQGlUq_ned7070vjw0m.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DdvHbzgOOu.js"
      2⤵
        PID:1492
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\irNWRQGlUq_ned7070vjw0m.js
        2⤵
        • Creates scheduled task(s)
        PID:488

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\DdvHbzgOOu.js

            Filesize

            1KB

            MD5

            04061d4008e6b4a69043fb096e6885ac

            SHA1

            3f5173c3d152b1503c7f1be11d05f9dc9a67b434

            SHA256

            9218ad83bc4db36160c1a0e76168f63ffb64c1e480af59dce5c76e9b9561a37d

            SHA512

            37af42458de31311c322ea0b7088c01148663414633d5842185f149844f874fe85379f4e440376be781097285e50398ab61241b390cc7c68542d1fa4fb31da81