Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2022, 10:59

General

  • Target

    SZGefsAYXZ_Tadexax2223.js

  • Size

    56KB

  • MD5

    b73ba6eb7f6b4fc2d4711871d55f4d30

  • SHA1

    ac710b5a76921d81c1cbe5b5b8815c36536719d4

  • SHA256

    136916061bfeb5df05b83ba428bcd2005dccbce2035b2b28a029274bf95a25b4

  • SHA512

    98034cb31973fcff1c45cab52b993c32cb486134e62e18437074249b4b0bbdd0f47ca3b39bd01ed5370b546c72ce447632107d1afbaccf16c9392c3d3712ec0f

  • SSDEEP

    1536:5YJm4ERgktGIefDKehwa8q4kDrxch7WpgIf/P4yT/P6hYpP34PzsqH+F8n1x6:KJm4FhKk82HPcU

Score
10/10

Malware Config

Extracted

Family

vjw0rm

C2

http://185.157.162.75:2223

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\SZGefsAYXZ_Tadexax2223.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DrKzuLzfJN.js"
      2⤵
        PID:1904

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\DrKzuLzfJN.js

            Filesize

            18KB

            MD5

            6603a31cf804b8bfc789e62685a39291

            SHA1

            0d3918e67b92a5ced1a9ec8bc30d3103c53b1201

            SHA256

            a2d293790800a34a0b959815f28bc8cc8e1dea3729699936a710aed4fd8d0193

            SHA512

            77c5ff393d6e1485e3e41b4535f4fc58078f45f585f0b9ad515e0efa5b1796337ca40fe946aff5dd9c71cabd2442c69a828e237a039d10908192933f01f0854f