Overview

overview

10

Static

static

wynwormi (1).js

windows7-x64

10

wynwormi (1).js

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2022 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wynwormi (1).js

  • Size

    6KB

  • MD5

    c02658d3892d92f451f860901be1ff6e

  • SHA1

    68364e2a981abc87db70afd28c9b70d83c4f25fb

  • SHA256

    bdd8a1389c36a9be565f526e3c590b4c4eabbc946b8d25d6791e334aa090ffed

  • SHA512

    87373410957f63273f21d867d5572119912cadf0f0114bfe2b840fa5eaf7b209f4f38b3032c65a7f031e3cdf93e0ce02017809c6c7e213620f44b474dce98f97

  • SSDEEP

    192:zkiLVbdiHOTZ81U/MBAMzeEC1qOZow5mP8ZMjQaQq59u2PwMpSA20o3UPCv+KXr5:TIIqkosXr4+LSh9fFHvfBE

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://45.139.105.174:6605

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynwormi (1).js"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/860-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

    Filesize

    8KB

    Download