Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2022, 10:59

General

  • Target

    Purchase Invoice.js

  • Size

    60KB

  • MD5

    141484b1be6eb2fe39f6b810c8adea75

  • SHA1

    294f6b489e8b0201845e8e2c794f5c024c818065

  • SHA256

    c52320fc195a224294899543e52212f4cbe3026a467ff2438bfba5011ba1e987

  • SHA512

    8a5cd665c13b855c1678c92afc1f511455fa3b84de7425d276b3493c53b11c7ecd4a6c566fe8b5207d3f280d8ac8f149672e0ecb9bea98a2a16db6c80bdcd57a

  • SSDEEP

    1536:5YJm4ERgktGIefDKehgzpG6dGjsCtStW2zHyMdQ+HKrTzKpjCYD80zdNF8Dxl6:KJm4FhKdpG7Jr+8sdf

Score
10/10

Malware Config

Extracted

Family

vjw0rm

C2

http://harold.jetos.com:3609

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"
      2⤵
        PID:4964

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js

            Filesize

            18KB

            MD5

            941e8d1fbdde43c2ee8c905440206d8f

            SHA1

            01c5e045561277dd05756208d4363aa9017fa72b

            SHA256

            9a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791

            SHA512

            7fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24