Analysis Overview
SHA256
74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68
Threat Level: Known bad
The file 879-5160.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-09 14:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-09 14:39
Reported
2022-11-09 14:40
Platform
win7-20220812-en
Max time kernel
24s
Max time network
64s
Command Line
Signatures
Vjw0rm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 608 wrote to memory of 1752 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 608 wrote to memory of 1752 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 608 wrote to memory of 1752 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 608 wrote to memory of 1444 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 608 wrote to memory of 1444 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 608 wrote to memory of 1444 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"
Network
Files
memory/608-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
memory/1752-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js
| MD5 | 4ae28435a346bd27612683e2dd95d23a |
| SHA1 | cf1e5c6550216f15e175576d9229a6ed2bed965f |
| SHA256 | c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa |
| SHA512 | 9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f |
memory/1444-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\food.jar
| MD5 | 3af77cc94136164de04568f4f1aed56c |
| SHA1 | 4cbff075ffa329b5b98cf892512f88dcd5804218 |
| SHA256 | b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede |
| SHA512 | 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-09 14:39
Reported
2022-11-09 14:40
Platform
win10v2004-20220812-en
Max time kernel
36s
Max time network
59s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js
Network
| Country | Destination | Domain | Proto |
| US | 8.238.20.254:80 | tcp | |
| US | 8.238.20.126:80 | tcp | |
| US | 8.238.20.126:80 | tcp | |
| US | 52.109.8.44:443 | tcp |