Overview

overview

10

Static

static

js (2).js

windows7-x64

10

js (2).js

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    js (2).js

  • Size

    68KB

  • MD5

    c1c77d014849645fd2802f7e4f421bd1

  • SHA1

    0ffe0908f44ba65fa664a1d6a82de61e71690845

  • SHA256

    355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc

  • SHA512

    f4b107e3123b3f52dbc3dd21c491acb1fc81f366f6ade87f8e1a2aa50695a26b86aa8d1e1c40139f8095577f1b2b211f788f9f9b0d9abf4f7a7ccb1e37df7329

  • SSDEEP

    1536:eET4c9hSc/PbwG+j/UZABcxGI1BG0yz3pLS2Xmi0jd:eEsc9p/DT+kwI1BHw8

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 33 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\js (2).js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4440
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\js (2).js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4228

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js
    Filesize

    16KB

    MD5

    2c9dd6febafc1246323d17d70cae26b8

    SHA1

    8b1b662992584acc1b64ca9626fd272c3f2d49be

    SHA256

    3a500edcc24ec6e223d86b32f60718e24bd3ee2b186524b627f4fe1783dfb3a5

    SHA512

    b69df04f7444437ce2835c898d4f1f209cb00184f4e55074e77dc2beaf72bc328ae6cfab25f459e6d7bcea987638dd17301884827d9896bf8ce6692b57ae11e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js
    Filesize

    16KB

    MD5

    2c9dd6febafc1246323d17d70cae26b8

    SHA1

    8b1b662992584acc1b64ca9626fd272c3f2d49be

    SHA256

    3a500edcc24ec6e223d86b32f60718e24bd3ee2b186524b627f4fe1783dfb3a5

    SHA512

    b69df04f7444437ce2835c898d4f1f209cb00184f4e55074e77dc2beaf72bc328ae6cfab25f459e6d7bcea987638dd17301884827d9896bf8ce6692b57ae11e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MdLoMTMthZ.js
    Filesize

    16KB

    MD5

    2c9dd6febafc1246323d17d70cae26b8

    SHA1

    8b1b662992584acc1b64ca9626fd272c3f2d49be

    SHA256

    3a500edcc24ec6e223d86b32f60718e24bd3ee2b186524b627f4fe1783dfb3a5

    SHA512

    b69df04f7444437ce2835c898d4f1f209cb00184f4e55074e77dc2beaf72bc328ae6cfab25f459e6d7bcea987638dd17301884827d9896bf8ce6692b57ae11e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js (2).js
    Filesize

    68KB

    MD5

    c1c77d014849645fd2802f7e4f421bd1

    SHA1

    0ffe0908f44ba65fa664a1d6a82de61e71690845

    SHA256

    355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc

    SHA512

    f4b107e3123b3f52dbc3dd21c491acb1fc81f366f6ade87f8e1a2aa50695a26b86aa8d1e1c40139f8095577f1b2b211f788f9f9b0d9abf4f7a7ccb1e37df7329

    Download Submit

  • C:\Users\Admin\AppData\Roaming\js (2).js
    Filesize

    68KB

    MD5

    c1c77d014849645fd2802f7e4f421bd1

    SHA1

    0ffe0908f44ba65fa664a1d6a82de61e71690845

    SHA256

    355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc

    SHA512

    f4b107e3123b3f52dbc3dd21c491acb1fc81f366f6ade87f8e1a2aa50695a26b86aa8d1e1c40139f8095577f1b2b211f788f9f9b0d9abf4f7a7ccb1e37df7329

    Download Submit

  • memory/540-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4228-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4440-132-0x0000000000000000-mapping.dmp

    Download