Overview

overview

10

Static

static

7a9d74c5d1...aee.js

windows7-x64

10

7a9d74c5d1...aee.js

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    182s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2023, 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

  • Size

    260KB

  • MD5

    d4b928defdafd9c54fe69160ba650cc8

  • SHA1

    041715d3775045016dfbebb68f8e4964c8ad123a

  • SHA256

    7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee

  • SHA512

    a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

  • SSDEEP

    6144:EPP/pyxHpiGSxCXJZTv+jCtMX1/MJIUDKi:EPXpyR17r+jCtMl/kD9

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 53 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1028
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js
    Filesize

    260KB

    MD5

    d4b928defdafd9c54fe69160ba650cc8

    SHA1

    041715d3775045016dfbebb68f8e4964c8ad123a

    SHA256

    7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee

    SHA512

    a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js
    Filesize

    6KB

    MD5

    a46a00fce7c7561dd03f37519c548491

    SHA1

    d707d5893467538b1ef934900fa7953b0ba3be37

    SHA256

    db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b

    SHA512

    61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js
    Filesize

    6KB

    MD5

    a46a00fce7c7561dd03f37519c548491

    SHA1

    d707d5893467538b1ef934900fa7953b0ba3be37

    SHA256

    db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b

    SHA512

    61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js
    Filesize

    260KB

    MD5

    d4b928defdafd9c54fe69160ba650cc8

    SHA1

    041715d3775045016dfbebb68f8e4964c8ad123a

    SHA256

    7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee

    SHA512

    a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js
    Filesize

    6KB

    MD5

    a46a00fce7c7561dd03f37519c548491

    SHA1

    d707d5893467538b1ef934900fa7953b0ba3be37

    SHA256

    db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b

    SHA512

    61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

    Download Submit

  • memory/1708-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

    Filesize

    8KB

    Download