Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2022, 14:12

General

  • Target

    New Order.js

  • Size

    12KB

  • MD5

    708bb09719cadbf4955924c22f8bc32f

  • SHA1

    03fa57e6a7f07b08e4aa5a2f1f5cc5250b7793f2

  • SHA256

    53bbab870aa1d49a4e311a68a163692115d59e4c2fd5493abca783dbf55f45f9

  • SHA512

    392089bb77788e8825ec58c5f3cf480cdfd76495417580cbddbc6ef87ea6a7a4716fd40302f84d916fd1ccab2d0b9a60c3749c33cf799c50558fe19d9b7ab233

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 15 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HVcGjHlAjW.js"
      2⤵
        PID:1456
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\New Order.js
        2⤵
        • Creates scheduled task(s)
        PID:1724

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\HVcGjHlAjW.js

            Filesize

            1KB

            MD5

            fbaec096e2d7b0f56c7abdb5f171e8b3

            SHA1

            2c26f08b135fa9f04e1fbc3c93dbf4df0b17cb66

            SHA256

            1f8ce58992df786114e0d5a23ff54bf867391bdabafb720776c3d8871fd8a0b5

            SHA512

            67537a2e7fd94686d0320e5a0dcd0e0214de08f4f4c3ab4c34c969e2a6d9123fec6c08206d5ba07b511e1acd23f464106e9daa21248407a7a5dc1cd69de49b27

          • memory/1964-54-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

            Filesize

            8KB