Overview

overview

10

Static

static

Payment.js

windows7-x64

10

Payment.js

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2022, 07:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment.js

  • Size

    28KB

  • MD5

    359404b0cab1f6527c6f200437696451

  • SHA1

    9da5f4937f158978047db38d38eb9bc20196dc8d

  • SHA256

    bb71355902607d2c6b880b49cbfce0c9fd98f03297e0836d3adbcbfba9ea5feb

  • SHA512

    3bd9c816a8ab8515f7a02b9085c6b321fc6fd7d49d8d8b5e42d274b4db606cfa3f927ddb5741aa94edfb40fa2b4d042fa26e6e98d967920f22ab90ecef04d122

  • SSDEEP

    768:73PRmOQmiKb7OjxQIjkhqxOjrptJ4fOhnFT:7OmiQkkhjrFzN

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 31 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Payment.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QoWJFExORY.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:560

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\QoWJFExORY.js
          Filesize

          9KB

          MD5

          b887f638862355636804bbe6e55e3a94

          SHA1

          35b8933be5d930d4cf360f2e8652d3d3bffe601c

          SHA256

          c0a37899c089539026ac8580aa286cb460f3d0e0ba8b4a6c411b88fe84893bdd

          SHA512

          b8c8f0d59b368c407993ab9b6c561f50bdb750e4e8c858415f387f94bac96915238b427b4847258808395ceb5af30848dba322511384bbe2c052b273ba141317

          Download Submit

        • memory/740-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

          Filesize

          8KB

          Download