Overview

overview

10

Static

static

test.js

windows7-x64

10

test.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.js

  • Size

    609KB

  • MD5

    0dd3d7d195a7d45f24c1f86c25b8bd73

  • SHA1

    cb4142317dc5ca92ba2eee9aecc8809d34276ce4

  • SHA256

    cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

  • SHA512

    63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

  • SSDEEP

    3072:vTwFRFxmzUmKvOERglXIjl7U0lVJSpHOcdKzPaKjaFeMXnsM4MkY9WZY5i/1RgHj:v+67ykgieRJ4Xp8Gl+stC/MxiP1YfoO

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 33 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\test.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1028
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\test.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js
    Filesize

    209KB

    MD5

    317f5e88c459ca95d712ff48993c684d

    SHA1

    f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

    SHA256

    a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

    SHA512

    49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js
    Filesize

    609KB

    MD5

    0dd3d7d195a7d45f24c1f86c25b8bd73

    SHA1

    cb4142317dc5ca92ba2eee9aecc8809d34276ce4

    SHA256

    cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

    SHA512

    63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js
    Filesize

    209KB

    MD5

    317f5e88c459ca95d712ff48993c684d

    SHA1

    f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

    SHA256

    a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

    SHA512

    49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js
    Filesize

    209KB

    MD5

    317f5e88c459ca95d712ff48993c684d

    SHA1

    f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

    SHA256

    a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

    SHA512

    49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\test.js
    Filesize

    609KB

    MD5

    0dd3d7d195a7d45f24c1f86c25b8bd73

    SHA1

    cb4142317dc5ca92ba2eee9aecc8809d34276ce4

    SHA256

    cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

    SHA512

    63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

    Download Submit