Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2022, 10:31

General

  • Target

    Wire_payment00121.js

  • Size

    122KB

  • MD5

    2e9bd6a3ba6f438cb52e02eb57dfabec

  • SHA1

    756d8111e06785e10b3b16b9bb57fe1200793952

  • SHA256

    b94ffe4623401b130c6d61df228148995ca4c9c5e0549b930da379faaf7ed608

  • SHA512

    8dd16f125e41a7dc3f0bd8126818e1ae3c4a42ae74e4010ea9f22151d5dd321075b8bfd845bbaaceef86a87eef8afdb954cacd598255c569465095b949dc4b83

  • SSDEEP

    3072:IHkMqQkkzkjAhWA9NPLeATG8Hu/ep2niX1P8Ji:IHkl3APPb12iXGi

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 15 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Wire_payment00121.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xdkSHVkGHl.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2988
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wjrvkex.txt"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\logo3856353070004354294.jar"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1672

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

          Filesize

          50B

          MD5

          5fd00f4882ffad65530dbc44424b4ed5

          SHA1

          421e76ccd92dd52a0b0c857ca8cd9956f0b4f310

          SHA256

          60483f621fbbadcbb348498d9b15caa888112bad8b3b5c92207c44c8f02c01ee

          SHA512

          fa0bbd2b85d274107ee305f147ef32722f44684f1644838be2a334daead074b58ea49043ea910e10c0aa844ccd12bb1340bbef279ef6526d6b33f93e7ae6ea0f

        • C:\Users\Admin\AppData\Local\Temp\logo3856353070004354294.jar

          Filesize

          51KB

          MD5

          fca3dc4c73f67ec888aafc37a4464739

          SHA1

          2511a3e134f2c64e1f94fefc44db06523debdaf9

          SHA256

          a233f20270742df1df1b135933a9155602802e459a663393b1a34c99496ae916

          SHA512

          f48b2604772384a0c2c070fd9c76d78d542132a63ebf0e5ba457689d12ea7c5026b52a9cdbd093746dc1d1a2b255095a9e60cd4f8a9dda8852e4436050273831

        • C:\Users\Admin\AppData\Roaming\wjrvkex.txt

          Filesize

          57KB

          MD5

          59752f841ad1eac6caa86af34a5ae05f

          SHA1

          e0e64838635f83cc207abada5b6301cb136b85dc

          SHA256

          c0d3b3af1c8133018422f65bcce05864d0f8f446f8ed7c6adafb6832d7be0a85

          SHA512

          675ed6a022d62a0bd81500bd5592be7373a13f67f26367ad2f4a3ee18fe01a8d3171a759e99bf00db7145ac8b6509c99bd8a3e3da98aaef7253a951d2a5c3431

        • C:\Users\Admin\AppData\Roaming\xdkSHVkGHl.js

          Filesize

          5KB

          MD5

          3f105e8206e44ccdd4dece8261834b92

          SHA1

          95b3f3ab53aff4ac98e4e617ab3176a661ec3030

          SHA256

          aa73976ca89d1e98b4032da92adb7229d90f14b7f649443b87205a0b542bed75

          SHA512

          7c4f203852623c7dcf15b780487a42bdcde25855aac5061813af59cf36f8379d429e917e0f7704176104f62e562e3b6c552197db7b229fef50a561acec85267f

        • memory/1672-160-0x0000000002770000-0x0000000003770000-memory.dmp

          Filesize

          16.0MB

        • memory/1672-161-0x0000000002770000-0x0000000003770000-memory.dmp

          Filesize

          16.0MB

        • memory/1672-163-0x0000000002770000-0x0000000003770000-memory.dmp

          Filesize

          16.0MB

        • memory/1672-164-0x0000000002770000-0x0000000003770000-memory.dmp

          Filesize

          16.0MB

        • memory/4784-146-0x00000000026C0000-0x00000000036C0000-memory.dmp

          Filesize

          16.0MB

        • memory/4784-140-0x00000000026C0000-0x00000000036C0000-memory.dmp

          Filesize

          16.0MB