Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2022, 11:51

General

  • Target

    eReceipt#.js

  • Size

    20KB

  • MD5

    f463015a0a92d3712514ef8d400942b9

  • SHA1

    7500026a1393410425ae99ba74aa74012d8f7c51

  • SHA256

    caf7270a354ba192bcb3adbe0ccfe74eed5de20ce99954a5f5ace68a0c7ad265

  • SHA512

    57d4a81ef176f26c73d69564290e95a3cce429fec5ade22ebf59df3dd6d6215a066a0472dcbe939f647f65b57fd3ec4cbccbd0e4381161550b29e0ae2f62ee09

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 17 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt#.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TinAizYutL.js"
      2⤵
        PID:4996
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\eReceipt#.js
        2⤵
        • Creates scheduled task(s)
        PID:636

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\TinAizYutL.js

            Filesize

            5KB

            MD5

            90a592e75b596744ef43f1fa1b567842

            SHA1

            58ef4539d609277c5da366ea038f3d2ec951391f

            SHA256

            02f55a0ea0071457afc46ea8298e9e7b9e23da7b743c906881c56d94540d76bc

            SHA512

            6d73b667e7cd7d90550dcfc832ccce00a99769fcad8cff0bf5eefdfb02df09c70d35bf395ea517fcc918f0e4d7237342bfe8f9df9f3cd23504bca94a1d123ef3