Analysis

  • max time kernel
    170s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2022, 07:18

General

  • Target

    QvLXNFAtqb_Tadexax2223.js

  • Size

    23KB

  • MD5

    ee1763127209217a0fce04f2aed9e0f1

  • SHA1

    6357452db989571b53d921f9a8cfc82a3650441d

  • SHA256

    4e758da9d292aa5126efb6ad52e26742985680e554f5491544a9fea1af837799

  • SHA512

    5ac1cbe8b411563c84ec87ba3e97c184fb19dd84cc18b60950330864b1328ae8d4ceb616ba6e90c16a47cde4302ea8da48ca9ace94fbe9faffe41f0970b6ba99

  • SSDEEP

    384:jpLqUVwuBf5oocGTQ1MNKsijegDvgjmyljNetiPg8ClyhCCy1NEM+9v8dHVgI/la:dLqQvBf5oPGTyMEsije4vgj5ciPgXyhL

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 16 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\QvLXNFAtqb_Tadexax2223.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BoINCSmfdi.js"
      2⤵
        PID:624

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\BoINCSmfdi.js

            Filesize

            6KB

            MD5

            8199ee5c636954199baf737a99ce0e47

            SHA1

            7a533e8dbacb75bd255650d4e24033c1d252e556

            SHA256

            e8467cdda44971d238500b8776ddbd6d19454894574f135fb64349c7f863332b

            SHA512

            22cb45d943917cf11fa6101f13ffebd869e92b8b31a8eb29bb3e16fab36fbcf919cd2dd6a6b525800887a68091f244d1e055218b09e14ac7e16c10948df903ed

          • memory/1208-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

            Filesize

            8KB