Overview

overview

10

Static

static

1

PO.230029.js

windows7-x64

10

PO.230029.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2023 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.230029.js

  • Size

    3.5MB

  • MD5

    2760f9a45e9e74c4eedfe9b0ee918e6b

  • SHA1

    277c62b14c987da3cf4c9e7d4ee4478cf61580c7

  • SHA256

    18827fed6ecd5e4d2c548dcad1eb21730a95f52b578bed75e3003b06a7390482

  • SHA512

    45aa5c7a51f644e82fc436029187fef542ee9a3be80ed8c3535c0383c938509f4d3f4414c97328430092bec1eed5a5105d47f45f36664f49c63a146b12a9fb7e

  • SSDEEP

    6144:nDKcCNX9cMH0svW5he7NbWSRU9qB02HkyjM6P:nDupdf

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 35 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO.230029.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EgxzFQzayc.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1360
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO.230029.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EgxzFQzayc.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\EgxzFQzayc.js
    Filesize

    346KB

    MD5

    5aa142c9e33d0c5d72f0fc4951e6c080

    SHA1

    b20626787b7e3f16c2c8aa46489c60002be05b79

    SHA256

    d0dbf9b445cc01f36e0d7b3483ade4479a2f1b54bf531716330b32b0d904d303

    SHA512

    a8c9769fc98a8e867b0b5e8bd73fc602f906d63ead71ad85da084c00c32e0a12dd8c124d82fffe8117fc325a7325e2e9caf2e3e49a6ebed2cd5daf6d27b60e77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EgxzFQzayc.js
    Filesize

    346KB

    MD5

    5aa142c9e33d0c5d72f0fc4951e6c080

    SHA1

    b20626787b7e3f16c2c8aa46489c60002be05b79

    SHA256

    d0dbf9b445cc01f36e0d7b3483ade4479a2f1b54bf531716330b32b0d904d303

    SHA512

    a8c9769fc98a8e867b0b5e8bd73fc602f906d63ead71ad85da084c00c32e0a12dd8c124d82fffe8117fc325a7325e2e9caf2e3e49a6ebed2cd5daf6d27b60e77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.230029.js
    Filesize

    3.5MB

    MD5

    2760f9a45e9e74c4eedfe9b0ee918e6b

    SHA1

    277c62b14c987da3cf4c9e7d4ee4478cf61580c7

    SHA256

    18827fed6ecd5e4d2c548dcad1eb21730a95f52b578bed75e3003b06a7390482

    SHA512

    45aa5c7a51f644e82fc436029187fef542ee9a3be80ed8c3535c0383c938509f4d3f4414c97328430092bec1eed5a5105d47f45f36664f49c63a146b12a9fb7e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PO.230029.js
    Filesize

    3.5MB

    MD5

    2760f9a45e9e74c4eedfe9b0ee918e6b

    SHA1

    277c62b14c987da3cf4c9e7d4ee4478cf61580c7

    SHA256

    18827fed6ecd5e4d2c548dcad1eb21730a95f52b578bed75e3003b06a7390482

    SHA512

    45aa5c7a51f644e82fc436029187fef542ee9a3be80ed8c3535c0383c938509f4d3f4414c97328430092bec1eed5a5105d47f45f36664f49c63a146b12a9fb7e

    Download Submit