Overview

overview

10

Static

static

PO N°CF004303.js

windows7-x64

10

PO N°CF004303.js

windows10-2004-x64

10

Analysis

  • max time kernel
    194s
  • max time network
    223s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO N°CF004303.js

  • Size

    45KB

  • MD5

    fb075b3dbae613fee795bef80bf3eebc

  • SHA1

    f9156e2680111c34a5a56cc3fb36d86742db6ff8

  • SHA256

    9060f5e5675f06ff2744114c852ada2f5b146144cec99457f7435c529426fa81

  • SHA512

    2e0a57c232afd7516fe98a2a27eae9d8dd97097a9f580a742faa6979a9ab492ef3c1d55de7fb429854482447f7ada6c61a9de171747a4152196aaf711ecabe9c

  • SSDEEP

    768:NZLXAlESuz9e/oRmQSL0UvOcVzNf37JxEJNvsgiyYO1x:4iS9/wmQSLQWfX+UAYOH

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KGRPDFvesU.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3996
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO N°CF004303.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KGRPDFvesU.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\KGRPDFvesU.js
    Filesize

    8KB

    MD5

    01e46cde81ecddd417528e53a84cf2aa

    SHA1

    2ca646a2935daec82d4e1a06d4d2136fcd3e9ab5

    SHA256

    020733714168e60e4d9292e37f34f7c08b7acb77632579d269ce7d623e955c3c

    SHA512

    187e1bfea8fbf667e4182e0ad055f1f524f419de12ca7ad4cb21cdcde0e8fc93482ccbb5dc09c6896b164a9615cec43827319a2842b2463868a8ff13946abb92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\KGRPDFvesU.js
    Filesize

    8KB

    MD5

    01e46cde81ecddd417528e53a84cf2aa

    SHA1

    2ca646a2935daec82d4e1a06d4d2136fcd3e9ab5

    SHA256

    020733714168e60e4d9292e37f34f7c08b7acb77632579d269ce7d623e955c3c

    SHA512

    187e1bfea8fbf667e4182e0ad055f1f524f419de12ca7ad4cb21cdcde0e8fc93482ccbb5dc09c6896b164a9615cec43827319a2842b2463868a8ff13946abb92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KGRPDFvesU.js
    Filesize

    8KB

    MD5

    01e46cde81ecddd417528e53a84cf2aa

    SHA1

    2ca646a2935daec82d4e1a06d4d2136fcd3e9ab5

    SHA256

    020733714168e60e4d9292e37f34f7c08b7acb77632579d269ce7d623e955c3c

    SHA512

    187e1bfea8fbf667e4182e0ad055f1f524f419de12ca7ad4cb21cdcde0e8fc93482ccbb5dc09c6896b164a9615cec43827319a2842b2463868a8ff13946abb92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js
    Filesize

    45KB

    MD5

    8d2c0f19aadc3185c965641bda720ff0

    SHA1

    4b53f247d5e49c1c2ef227dd4dec8ffe6796ffa6

    SHA256

    c8c879abecee4055bdfd555c038d2957aeb2e0fe63441bdfc794feb522398cfb

    SHA512

    b4a1e9357ccdbc585badaf5486bf8b5af1e722b05f10ec2dcbb905669914200bdd618c9e804e789484c3e7ac2ac3b9ebcbf22b49daed43ae0a069aab87b63102

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PO N°CF004303.js
    Filesize

    45KB

    MD5

    fb075b3dbae613fee795bef80bf3eebc

    SHA1

    f9156e2680111c34a5a56cc3fb36d86742db6ff8

    SHA256

    9060f5e5675f06ff2744114c852ada2f5b146144cec99457f7435c529426fa81

    SHA512

    2e0a57c232afd7516fe98a2a27eae9d8dd97097a9f580a742faa6979a9ab492ef3c1d55de7fb429854482447f7ada6c61a9de171747a4152196aaf711ecabe9c

    Download Submit

  • memory/636-134-0x0000000000000000-mapping.dmp

    Download

  • memory/1080-136-0x0000000000000000-mapping.dmp

    Download

  • memory/3996-132-0x0000000000000000-mapping.dmp

    Download