Overview

overview

10

Static

static

PAYMENT SWIFT.jar

windows7-x64

10

PAYMENT SWIFT.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2022, 10:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT SWIFT.jar

  • Size

    81KB

  • MD5

    5f49f9e0adbfb9aa8a3001511918e219

  • SHA1

    3f5e25c46c605fa5e9e2681b1a7e3003802580e3

  • SHA256

    2a6d83a4c367c9f0d23874ee32aa05c30e5d80e13d4b9d7d31ac5f7b0308eeff

  • SHA512

    28d60b13919bfb812e7c99b63edd558b2e6a05c27b1dae9bd4dbaf6aa0c6a5942ddd0f553bf2f909cf18380b3e2e0e6ca8acca661e1cd905ba217a95a75948c8

  • SSDEEP

    1536:yEru81UBVOdxyo5g8puLyGuB/+78WSrjHynsrHYtHSyDMmFeWuaWvVGApDt7p+zL:frueUBWW8pFHBkCnWAYVS+MautkApDtU

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\cbnyinpadw.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\aoGofoNzDc.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4468
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\skkgwpkkik.txt"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1960

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
          Filesize

          50B

          MD5

          738d7d27508a452a4aa25f30506f986a

          SHA1

          3203600645aa3937e706d5d94fc3d83203110b42

          SHA256

          e28bd8c68606b65ee7767c4143588ad50e15067b2195b9d25f06c1c578559e89

          SHA512

          8e475470061e223575d481625c1cf9b927780e07685a6bedb24812437e975f3a4ba4e191969f387ed9f479e08bce94609433e2845dee59614ef0e43d156108a4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aoGofoNzDc.js
          Filesize

          11KB

          MD5

          65fb6591e57956055eab89244ba308d0

          SHA1

          7f75b5418092875e5b637db3bba5fa7e95def85b

          SHA256

          3be47fb6fc32f47c2acffff45389c6320f1d105a21afe00682fd3cef2eaadebe

          SHA512

          fff6080536f5ec311834ebaf240a0db820609f532def00a90da86ac4237a245dcd46f4152710886ac7b472e91829d815fa9c00c730f7d3d090bb4491e4d97df1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\skkgwpkkik.txt
          Filesize

          51KB

          MD5

          c1783ea3118978252aa6c8891d0ea61c

          SHA1

          9986142768fd83fb445f8ac6dfd196aba3fb3139

          SHA256

          23b78abed63ac1a61a43873aa4bc168f30a4bef0e1fa9132a89f479c02805855

          SHA512

          6a22b6683589c981eaa8d1aad2bfaffc06789ec9671b3a6ec6b7279f4fcbaf6d2c1b1bf8ed3ffb047a86e711294d66b532d313805b4973566afd27b2fc182006

          Download Submit

        • C:\Users\Admin\cbnyinpadw.js
          Filesize

          130KB

          MD5

          6b953009e26aa623b6e644bfb8bcdbcd

          SHA1

          ba8466a391ef31e1f5dd2e14e714ea4b46236098

          SHA256

          b85406c325c6249bb8442256152056e89e270cc14c430ba7c2aa35d0289dddf2

          SHA512

          b8923f09990134ab8587df0f84b290a381e409dbe2a448e9a48b482ada8162524ef1bd5ce81bf13200cd4a22d487882f8f2218a81787b5e04cd4d5d624a2a6ae

          Download Submit

        • memory/1960-164-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1960-162-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1960-165-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1960-166-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1960-172-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/4060-137-0x0000000002ED0000-0x0000000003ED0000-memory.dmp

          Filesize

          16.0MB

          Download