Overview

overview

10

Static

static

cd6b788372...8d3.js

windows7-x64

10

cd6b788372...8d3.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2023, 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js

  • Size

    260KB

  • MD5

    ec87b49270ad1afb170890fc4644bd59

  • SHA1

    997f47e7d0bd7bc4ba59c2b737c0b5e108858b62

  • SHA256

    cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3

  • SHA512

    2daa9b36563380a3d55f2a0ec8ddbd1b8fe5d045acb9b98fb210af0e861ed523adef67ee791680e9a9608733e89ba274507ed2405ac9191f62e01f709f19162f

  • SSDEEP

    6144:EPP/pyxHpiGSxCXJZTv+jCtMX1/MJIUDKi:EPHpyR17r+jCtMl/kD9

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 53 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PQqoNmhZsB.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1504
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PQqoNmhZsB.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1768

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
    Filesize

    260KB

    MD5

    ec87b49270ad1afb170890fc4644bd59

    SHA1

    997f47e7d0bd7bc4ba59c2b737c0b5e108858b62

    SHA256

    cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3

    SHA512

    2daa9b36563380a3d55f2a0ec8ddbd1b8fe5d045acb9b98fb210af0e861ed523adef67ee791680e9a9608733e89ba274507ed2405ac9191f62e01f709f19162f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PQqoNmhZsB.js
    Filesize

    6KB

    MD5

    a46a00fce7c7561dd03f37519c548491

    SHA1

    d707d5893467538b1ef934900fa7953b0ba3be37

    SHA256

    db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b

    SHA512

    61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PQqoNmhZsB.js
    Filesize

    6KB

    MD5

    a46a00fce7c7561dd03f37519c548491

    SHA1

    d707d5893467538b1ef934900fa7953b0ba3be37

    SHA256

    db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b

    SHA512

    61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
    Filesize

    260KB

    MD5

    ec87b49270ad1afb170890fc4644bd59

    SHA1

    997f47e7d0bd7bc4ba59c2b737c0b5e108858b62

    SHA256

    cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3

    SHA512

    2daa9b36563380a3d55f2a0ec8ddbd1b8fe5d045acb9b98fb210af0e861ed523adef67ee791680e9a9608733e89ba274507ed2405ac9191f62e01f709f19162f

    Download Submit

  • memory/956-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

    Filesize

    8KB

    Download