Overview

overview

10

Static

static

AWB NO - 3...35.jar

windows7-x64

10

AWB NO - 3...35.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB NO - 3806763435.jar

  • Size

    135KB

  • MD5

    f3ea82bc0cc2257700a03772803f33ba

  • SHA1

    4a3b8f5db62c2b8da10c12f303c793d4c906154c

  • SHA256

    637d0ad48e3a475f7b025f1c9fe9baf21644f56e8cb80191b442cadb4fdd9ca6

  • SHA512

    09a18567c0955b0a0a8e626d5bd8e7fd92229276cd750a07788a14ad8ab9ff86a1f86e6e601e49bac1ba5f0c3c6cb70aa56eb18381fee0557c760c5f7949c798

  • SSDEEP

    3072:mf6XMlidasMjimQsBqUDt/Gsz8DSXyKlQwy:mf6XKisgmQsB5tlBXyKlQwy

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\AWB NO - 3806763435.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\fcttazxkll.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\UbAiBlUvAZ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1820
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ziljthuck.txt"
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\ziljthuck.txt"
          4⤵
            PID:524

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jre7\ziljthuck.txt
      Filesize

      91KB

      MD5

      3bbdbc10682111317bef9f19b6dbb95e

      SHA1

      135efb10366e837601e01cec75999662abb87a80

      SHA256

      9045fd0a805e07c7e6367fb3cb62f8121964056894cee3b56f6f85feddce92f7

      SHA512

      858f62f75d3eb1c4f7fbef9c92cd10e26e5326484e5557a7e1a6bb140413470c2364b0f44383a166e3517d1d759775c17baa46560bf13768850cf3b1573b1170

      Download Submit
    • C:\Users\Admin\AppData\Roaming\UbAiBlUvAZ.js
      Filesize

      23KB

      MD5

      c53fc2f411c2a1b4742db917bd10708f

      SHA1

      d34fcd46c30ab1d8d6b21535f63f420f536154a6

      SHA256

      d2aefa366d202443a0250d5bc93802230486b3990dce7c12b419be570818c67a

      SHA512

      7aee8c96b0c7c4c974b1be1379ab1d8a10a3f444cd36d68c6684ac2a540ec15210ea247d3f04be7e4251d0e4da1cff14503406b5778f6cae310fbcac283663ae

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ziljthuck.txt
      Filesize

      91KB

      MD5

      3bbdbc10682111317bef9f19b6dbb95e

      SHA1

      135efb10366e837601e01cec75999662abb87a80

      SHA256

      9045fd0a805e07c7e6367fb3cb62f8121964056894cee3b56f6f85feddce92f7

      SHA512

      858f62f75d3eb1c4f7fbef9c92cd10e26e5326484e5557a7e1a6bb140413470c2364b0f44383a166e3517d1d759775c17baa46560bf13768850cf3b1573b1170

      Download Submit
    • C:\Users\Admin\fcttazxkll.js
      Filesize

      240KB

      MD5

      acad0bd0c33f21939a775ce90b38d4e2

      SHA1

      5b3c2c7723b4bbc3185be8a74d1cde81a60fa1a1

      SHA256

      168c84c8a36ea84c39cc8380447d4c81227f924ed80bcaa432f34116a87b63ab

      SHA512

      9e8572be372134639e9ddf88c832cd17d7a03882e3389bedd1a32845851ad189edb26354f06cf563a2d8101b4eb31426a7566e4ab3cc798b78a6869b525368b4

      Download Submit
    • memory/524-86-0x0000000000000000-mapping.dmp
      Download
    • memory/524-97-0x00000000021E0000-0x00000000051E0000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/524-99-0x00000000021E0000-0x00000000051E0000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/932-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1212-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1212-65-0x0000000002180000-0x0000000005180000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/1712-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1712-80-0x0000000002360000-0x0000000005360000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/1712-85-0x0000000002360000-0x0000000005360000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/1820-69-0x0000000000000000-mapping.dmp
      Download