Analysis

  • max time kernel
    132s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2022, 15:53

General

  • Target

    Purchase Invoice.js

  • Size

    25KB

  • MD5

    9aca2a4ff7b8ac6189ecd97173dd8d90

  • SHA1

    b32bcdc674d7f27285a14291f5a12ba2b47f7102

  • SHA256

    d90554b8cf36add67ceaaedfdcab5507eca5951197aed9b2a851485736640779

  • SHA512

    c35295f93ea3b103a20ea4613d7c4392d09fd819fc785dc47e4799ffa1d7b125af616e29dd35505e5ed857eaefd4a37ef3892f4d6d92c567c1d80b099d6abaf4

  • SSDEEP

    768:dLqQvBf5oPGTyMJsijesb02xFIIxo8rUURwkUOV8igT8dHVT/l5Q:pAPsb02xFIIT/wkUOV8ige2

Score
10/10

Malware Config

Extracted

Family

vjw0rm

C2

http://harold.jetos.com:3609

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js"
      2⤵
        PID:1936

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js

            Filesize

            6KB

            MD5

            1214283010a75e6bf30c48c99722ee00

            SHA1

            baf927af2f820cf90a38bb0093097a18c7430fc6

            SHA256

            a87f39cd2f3017d5ab87295a437448f840c972e8a92363008ce342ccd9a7c8df

            SHA512

            ec8be42a8fb7ec0ea971fe266f6c7f8121e2c105df6b4ecb329c67960f3d1b638c49d5381cde81badd25e82dd76f33c08253e50f47bc822e808d47f20f9f1156

          • memory/1972-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

            Filesize

            8KB