Overview

overview

10

Static

static

7

9e98c04e77...21d.js

windows7-x64

10

9e98c04e77...21d.js

windows10-2004-x64

10

c72d738747...8bf.js

windows7-x64

10

c72d738747...8bf.js

windows10-2004-x64

10

cc03a8f943...70.exe

windows7-x64

10

cc03a8f943...70.exe

windows10-2004-x64

1

eb6af295c3...cb.exe

windows7-x64

7

eb6af295c3...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2023 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c72d738747f68d4f8d9e9368e47928bf.js

  • Size

    9.2MB

  • MD5

    c72d738747f68d4f8d9e9368e47928bf

  • SHA1

    00b523b2e3ab0f2bfd7d4aabf3b1c33ae390c585

  • SHA256

    06b94b3ec86bd4a61888848f379808954de1ff2a1fe471edcfa312f5e9ba2ab5

  • SHA512

    1a01baa0c813b928cf5dfe456f76acdcf9be0e0df8a6131e248f9aa5456c65a69cb9809efe56afc4db32cfeeb93ca42e3319f1e53689ba4ed23b77911b802c61

  • SSDEEP

    3072:gNK8RjR/R8x/xqm2O1IrWa7Mjv/GnOv3GmPLjCKKIz9vs2J96i/OBDVOdz83Pm7+:I

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:520
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tenotvjsh.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\tenotvjsh.txt"
        3⤵
          PID:1580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js
      Filesize

      1.1MB

      MD5

      b7e9c8bac9afc434944605c2422e1ad0

      SHA1

      a653b478be92ecbd848bf79e175c454ebb9ccf21

      SHA256

      be481241ae35aed859e1b558e23fcf640e0ec5f36d1e993a085ccc499b62c465

      SHA512

      b790f27cce05ee3c754728489c8912501dc5c61d00639db760957697e3ea28855a81ce38634ddf2d98bf865055977c4d5dd2faaecc3a625eb090012161df2190

      Download Submit
    • C:\Users\Admin\AppData\Roaming\tenotvjsh.txt
      Filesize

      164KB

      MD5

      ec5e12b3ea2318692c2d2b74c33dfbda

      SHA1

      f7f6c3d3e266c7a85ec489389d5508eaa1983055

      SHA256

      056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7

      SHA512

      0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a

      Download Submit
    • C:\Users\Admin\tenotvjsh.txt
      Filesize

      164KB

      MD5

      ec5e12b3ea2318692c2d2b74c33dfbda

      SHA1

      f7f6c3d3e266c7a85ec489389d5508eaa1983055

      SHA256

      056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7

      SHA512

      0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a

      Download Submit
    • memory/1340-70-0x00000000000A0000-0x00000000000A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1340-77-0x00000000000A0000-0x00000000000A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1340-87-0x00000000000A0000-0x00000000000A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1340-95-0x00000000000A0000-0x00000000000A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1340-97-0x00000000000A0000-0x00000000000A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1580-108-0x0000000000430000-0x0000000000431000-memory.dmp
      Filesize

      4KB

      Download