Overview

overview

10

Static

static

5597f148d2...41f.js

windows7-x64

10

5597f148d2...41f.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2022, 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f.js

  • Size

    1.1MB

  • MD5

    38384d69c165b100f3e0bb9628feab41

  • SHA1

    e5d43d8c4e69c1b11eb0e98bef644440e7a1ea5a

  • SHA256

    5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f

  • SHA512

    e0cd055fd8dbcbeca87826e5f91ffdcc5b2aed225a9aa6136d1ee9538d9ca2d4ec9fe8d7d50bb9acaddb475b789c5cd9bbd9f78d0f3b8aa5074fd911f5672d3b

  • SSDEEP

    12288:GtHYDeDuDLzi5Zvhxuw/9qfuu7u0mqY4KjqjxXlb67SlkEbDVk:Y7xp9qfuu7u0mqY4K+SmlkEXVk

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 54 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cGgozkzQYb.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4824
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cGgozkzQYb.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f.js
    Filesize

    1.1MB

    MD5

    38384d69c165b100f3e0bb9628feab41

    SHA1

    e5d43d8c4e69c1b11eb0e98bef644440e7a1ea5a

    SHA256

    5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f

    SHA512

    e0cd055fd8dbcbeca87826e5f91ffdcc5b2aed225a9aa6136d1ee9538d9ca2d4ec9fe8d7d50bb9acaddb475b789c5cd9bbd9f78d0f3b8aa5074fd911f5672d3b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f.js
    Filesize

    1.1MB

    MD5

    38384d69c165b100f3e0bb9628feab41

    SHA1

    e5d43d8c4e69c1b11eb0e98bef644440e7a1ea5a

    SHA256

    5597f148d24f8999fa0e961445c95d0b854a8c296a46cb92db48ddbc1ecc341f

    SHA512

    e0cd055fd8dbcbeca87826e5f91ffdcc5b2aed225a9aa6136d1ee9538d9ca2d4ec9fe8d7d50bb9acaddb475b789c5cd9bbd9f78d0f3b8aa5074fd911f5672d3b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cGgozkzQYb.js
    Filesize

    299KB

    MD5

    e25921817f40444325fb0903c802f7e8

    SHA1

    1378235074917b2322409957a81de7cc13cc516d

    SHA256

    51f3bdda25cd5c326a09abfbbe09b17cc71d5693a4d5650bb6d5a7a73980095a

    SHA512

    24c2c7dc61ddd95c55b69a29b7cf3b8336d24eabc0cd89b4639d701851508265564d53b4fa4db2f48a1aa770919983820474e79f8f6d2868755996c30a35ada2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cGgozkzQYb.js
    Filesize

    299KB

    MD5

    e25921817f40444325fb0903c802f7e8

    SHA1

    1378235074917b2322409957a81de7cc13cc516d

    SHA256

    51f3bdda25cd5c326a09abfbbe09b17cc71d5693a4d5650bb6d5a7a73980095a

    SHA512

    24c2c7dc61ddd95c55b69a29b7cf3b8336d24eabc0cd89b4639d701851508265564d53b4fa4db2f48a1aa770919983820474e79f8f6d2868755996c30a35ada2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cGgozkzQYb.js
    Filesize

    299KB

    MD5

    e25921817f40444325fb0903c802f7e8

    SHA1

    1378235074917b2322409957a81de7cc13cc516d

    SHA256

    51f3bdda25cd5c326a09abfbbe09b17cc71d5693a4d5650bb6d5a7a73980095a

    SHA512

    24c2c7dc61ddd95c55b69a29b7cf3b8336d24eabc0cd89b4639d701851508265564d53b4fa4db2f48a1aa770919983820474e79f8f6d2868755996c30a35ada2

    Download Submit