Analysis
-
max time kernel
118s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 12:20
Static task
static1
Behavioral task
behavioral1
Sample
TG216_94_312_PDF.js
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
TG216_94_312_PDF.js
Resource
win10v2004-20221111-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
TG216_94_312_PDF.js
-
Size
97KB
-
MD5
7afbb2051c1ba1c1e88c499c5e11636a
-
SHA1
4b2a14b3ca310b1f39959c130ae7b72a03078873
-
SHA256
74fc83dc153086db0329b982e73e8bee4b652d1265c8185b0b4374898a112d06
-
SHA512
c506d2d13383948d9acfafdc152f81326fc73381530fbb019794f9bc2b7733b3b455f6eddc92d597614f0f6d641f391d737f93f809486707cb1d8f84378309ec
-
SSDEEP
384:chWWz5Kfy24jHueR45qWWxWBWHKSqmqR4G:XYG
Score
10/10
Malware Config
Extracted
Family
vjw0rm
C2
http://js9400.duckdns.org:9400
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 8 2012 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TG216_94_312_PDF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TG216_94_312_PDF.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\TG216_94_312_PDF.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.