Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    22/09/2022, 10:31

General

  • Target

    Wire_payment00121.js

  • Size

    122KB

  • MD5

    2e9bd6a3ba6f438cb52e02eb57dfabec

  • SHA1

    756d8111e06785e10b3b16b9bb57fe1200793952

  • SHA256

    b94ffe4623401b130c6d61df228148995ca4c9c5e0549b930da379faaf7ed608

  • SHA512

    8dd16f125e41a7dc3f0bd8126818e1ae3c4a42ae74e4010ea9f22151d5dd321075b8bfd845bbaaceef86a87eef8afdb954cacd598255c569465095b949dc4b83

  • SSDEEP

    3072:IHkMqQkkzkjAhWA9NPLeATG8Hu/ep2niX1P8Ji:IHkl3APPb12iXGi

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 13 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Wire_payment00121.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xdkSHVkGHl.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:948
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vkuilxi.txt"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\logo670358334554939628.jar"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1388

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\logo670358334554939628.jar

          Filesize

          51KB

          MD5

          fca3dc4c73f67ec888aafc37a4464739

          SHA1

          2511a3e134f2c64e1f94fefc44db06523debdaf9

          SHA256

          a233f20270742df1df1b135933a9155602802e459a663393b1a34c99496ae916

          SHA512

          f48b2604772384a0c2c070fd9c76d78d542132a63ebf0e5ba457689d12ea7c5026b52a9cdbd093746dc1d1a2b255095a9e60cd4f8a9dda8852e4436050273831

        • C:\Users\Admin\AppData\Roaming\vkuilxi.txt

          Filesize

          57KB

          MD5

          59752f841ad1eac6caa86af34a5ae05f

          SHA1

          e0e64838635f83cc207abada5b6301cb136b85dc

          SHA256

          c0d3b3af1c8133018422f65bcce05864d0f8f446f8ed7c6adafb6832d7be0a85

          SHA512

          675ed6a022d62a0bd81500bd5592be7373a13f67f26367ad2f4a3ee18fe01a8d3171a759e99bf00db7145ac8b6509c99bd8a3e3da98aaef7253a951d2a5c3431

        • C:\Users\Admin\AppData\Roaming\xdkSHVkGHl.js

          Filesize

          5KB

          MD5

          3f105e8206e44ccdd4dece8261834b92

          SHA1

          95b3f3ab53aff4ac98e4e617ab3176a661ec3030

          SHA256

          aa73976ca89d1e98b4032da92adb7229d90f14b7f649443b87205a0b542bed75

          SHA512

          7c4f203852623c7dcf15b780487a42bdcde25855aac5061813af59cf36f8379d429e917e0f7704176104f62e562e3b6c552197db7b229fef50a561acec85267f

        • memory/1296-70-0x0000000002030000-0x0000000005030000-memory.dmp

          Filesize

          48.0MB

        • memory/1364-54-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

          Filesize

          8KB

        • memory/1388-83-0x0000000002250000-0x0000000005250000-memory.dmp

          Filesize

          48.0MB

        • memory/1388-89-0x00000000001D0000-0x00000000001DA000-memory.dmp

          Filesize

          40KB

        • memory/1388-88-0x00000000001D0000-0x00000000001DA000-memory.dmp

          Filesize

          40KB

        • memory/1388-90-0x0000000002250000-0x0000000005250000-memory.dmp

          Filesize

          48.0MB

        • memory/1388-91-0x00000000001D0000-0x00000000001DA000-memory.dmp

          Filesize

          40KB

        • memory/1388-92-0x00000000001D0000-0x00000000001DA000-memory.dmp

          Filesize

          40KB