Overview

overview

10

Static

static

AWB NO - 3...35.jar

windows7-x64

10

AWB NO - 3...35.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB NO - 3806763435.jar

  • Size

    135KB

  • MD5

    f3ea82bc0cc2257700a03772803f33ba

  • SHA1

    4a3b8f5db62c2b8da10c12f303c793d4c906154c

  • SHA256

    637d0ad48e3a475f7b025f1c9fe9baf21644f56e8cb80191b442cadb4fdd9ca6

  • SHA512

    09a18567c0955b0a0a8e626d5bd8e7fd92229276cd750a07788a14ad8ab9ff86a1f86e6e601e49bac1ba5f0c3c6cb70aa56eb18381fee0557c760c5f7949c798

  • SSDEEP

    3072:mf6XMlidasMjimQsBqUDt/Gsz8DSXyKlQwy:mf6XKisgmQsB5tlBXyKlQwy

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\AWB NO - 3806763435.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\fcttazxkll.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\UbAiBlUvAZ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4380
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fcymhfmvy.txt"
        3⤵
        • Drops file in Program Files directory
        PID:3260

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
    Filesize

    50B

    MD5

    032fec3920b718947834f7460d17f409

    SHA1

    ff8ac1238efcabea4255454dd0e5a2ec97cefc53

    SHA256

    756401cd7ff3e9d1a6a51b7d332a1d6b1925577154a9dbed61ff4b2547753317

    SHA512

    952b5ab88afb7d1a5fe51b47b69664ab0ceb06868f5c0418342831b96efb33b54ff19b2fedd5d02683fe329d83bdce944367fa751180e5213359e79e885b73fe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UbAiBlUvAZ.js
    Filesize

    23KB

    MD5

    c53fc2f411c2a1b4742db917bd10708f

    SHA1

    d34fcd46c30ab1d8d6b21535f63f420f536154a6

    SHA256

    d2aefa366d202443a0250d5bc93802230486b3990dce7c12b419be570818c67a

    SHA512

    7aee8c96b0c7c4c974b1be1379ab1d8a10a3f444cd36d68c6684ac2a540ec15210ea247d3f04be7e4251d0e4da1cff14503406b5778f6cae310fbcac283663ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\fcymhfmvy.txt
    Filesize

    91KB

    MD5

    3bbdbc10682111317bef9f19b6dbb95e

    SHA1

    135efb10366e837601e01cec75999662abb87a80

    SHA256

    9045fd0a805e07c7e6367fb3cb62f8121964056894cee3b56f6f85feddce92f7

    SHA512

    858f62f75d3eb1c4f7fbef9c92cd10e26e5326484e5557a7e1a6bb140413470c2364b0f44383a166e3517d1d759775c17baa46560bf13768850cf3b1573b1170

    Download Submit

  • C:\Users\Admin\fcttazxkll.js
    Filesize

    240KB

    MD5

    acad0bd0c33f21939a775ce90b38d4e2

    SHA1

    5b3c2c7723b4bbc3185be8a74d1cde81a60fa1a1

    SHA256

    168c84c8a36ea84c39cc8380447d4c81227f924ed80bcaa432f34116a87b63ab

    SHA512

    9e8572be372134639e9ddf88c832cd17d7a03882e3389bedd1a32845851ad189edb26354f06cf563a2d8101b4eb31426a7566e4ab3cc798b78a6869b525368b4

    Download Submit

  • memory/2416-142-0x0000000000000000-mapping.dmp

    Download

  • memory/3260-170-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3260-147-0x0000000000000000-mapping.dmp

    Download

  • memory/3260-157-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3260-173-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3260-174-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3260-175-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3616-141-0x00000000025D0000-0x00000000035D0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4380-145-0x0000000000000000-mapping.dmp

    Download