Resubmissions

10-11-2022 09:41

221110-ln8wjsafbj 10

09-11-2022 14:39

221109-r1d5labccm 10

Analysis

  • max time kernel
    24s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2022 14:39

General

  • Target

    879-5160.js

  • Size

    438KB

  • MD5

    90764ebb7698c03e99414abebcb5746c

  • SHA1

    047fae3fc68e5a3d540606e23a9e0c776caed390

  • SHA256

    74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68

  • SHA512

    e88154b0e2db0ea886e0ea1de3ff0053dbff387f2b1b941f5ceedaa73d3c72d26dbc6e8c9b97e6f7d79f1f624afad65ff4ec3eafe2f57db831f10af2ecbfdcdc

  • SSDEEP

    6144:uG40ClC7RcWn8EZ5K9wCmZ7FMI5L2sDlPt8rXC8kjJ1egfVX8IPxxmVfhiUJeeI+:uG4BiF5K9YV2mtw3gdXZXEIvYcXM

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"
      2⤵
      • Drops startup file
      PID:1752
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"
      2⤵
        PID:1444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\food.jar

      Filesize

      100KB

      MD5

      3af77cc94136164de04568f4f1aed56c

      SHA1

      4cbff075ffa329b5b98cf892512f88dcd5804218

      SHA256

      b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede

      SHA512

      657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

    • C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js

      Filesize

      7KB

      MD5

      4ae28435a346bd27612683e2dd95d23a

      SHA1

      cf1e5c6550216f15e175576d9229a6ed2bed965f

      SHA256

      c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa

      SHA512

      9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f

    • memory/608-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

      Filesize

      8KB