Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2022, 09:16

General

  • Target

    scan002548.pdf.js

  • Size

    16KB

  • MD5

    4580dbb222f08f1c08a6e79a1e12f3aa

  • SHA1

    d363d4d19625e3931bbda3a9ca7b776485768a50

  • SHA256

    b921ff143f8ca087ff5300fc4bbfe2380d4b8f33d05120d2aec85faebce907f8

  • SHA512

    f4d9bd04313ea69bf9bc4b07c8c11f1938629c099168c3ab6cf23ce188e2157bfd48f3abf0ab2656e9469792e7d066f24aa8ed6f487bf8db9711f62ce98313b0

  • SSDEEP

    384:XFHo+Kdxqm4y1eJcztRyKQbiWMzCKQzhvzS2aGapj:XBobnxeIRyrMzqxPapj

Malware Config

Extracted

Family

vjw0rm

C2

http://whiteking.giize.com:6565

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 6 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\scan002548.pdf.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NbcMSbvqgG.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NbcMSbvqgG.js

    Filesize

    5KB

    MD5

    38ab62fc6688bab6d4a1b275969e147d

    SHA1

    dfc02f21a6ec8b17e8e10f26de161ed06ac3bcb7

    SHA256

    3a46e2e43ceb2f2edb5ccebef9bddc9dc79d8fcbf6e266bffa8be503618b33b3

    SHA512

    276744bff93bd1f5bd970a640ca09a27b938daff4a71bda9623870b5ae8d033d2105fe3ccffeac2ccf1cd123b9febedd8d1e78140f988abc979f96c79161530d

  • memory/784-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

    Filesize

    8KB