Overview

overview

10

Static

static

1

shipment_details.js

windows7-x64

10

shipment_details.js

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2023 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipment_details.js

  • Size

    4.2MB

  • MD5

    fa2dccbcd1a13b5ed4a37cfe2f6bd98e

  • SHA1

    e9bfca02fe3610209e4d978706fb0ffa708c23de

  • SHA256

    e6a1e467986946fec245767752bfdb0b627488834769bc4ea18cfe5416ca97c8

  • SHA512

    d7fff2cb89edf7ec8d7e8e3c87c339a0d89b9ce90245985f27bcbd59c2cfb27dfb9e757fe5cae6b33728def4221ef1e2a7bca8876be36dd3d54ae86db5837ff8

  • SSDEEP

    24576:DLXDS1oAQLfjv/dcBBEKURJFxCl4V0lZ3LUua5qTV/+GuPII+yo6gcuXoHmGt7SA:KgPFV5

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\shipment_details.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\GveCwylsAy.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3120
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xpuujbugrk.txt"
      2⤵
        PID:3652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\GveCwylsAy.js
      Filesize

      346KB

      MD5

      7b9709a9153ac4cb215f16fdf60be200

      SHA1

      0883c7965e51ecfd6a947b9bfd6b423f121196db

      SHA256

      f44886cb49e3a9ba393eff0736521cd8c8e54ebc91502e866bd702d9308d7e50

      SHA512

      c482c760a396fea1c1707fcee39f43d58fd8731f4c91a18a355659e63656cae67b5ba41a07cef932c09e0564d7022739cdf53fd3821cda2d0e774f4a2b584f02

      Download Submit

    • C:\Users\Admin\AppData\Roaming\xpuujbugrk.txt
      Filesize

      92KB

      MD5

      d03e147aa64697d957d39b1c641fad7f

      SHA1

      ba541702a1e4a8a05c72c613f466ff06dc268a5f

      SHA256

      0bce2dcb90b837d4d30ed36842d76d0e87cc548497eccac7c650efa3e650fedc

      SHA512

      50f1bb4bbacb25e79c9f80b6c9a6766865d8e682bebf162fe84f208f3f2dc2487daf08bda5072866848641f6b1f600968614e2dcbcb628d32fbb1467422dd04f

      Download Submit

    • memory/3652-150-0x00000000015C0000-0x00000000015C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3652-160-0x00000000015C0000-0x00000000015C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3652-195-0x00000000015C0000-0x00000000015C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3652-220-0x00000000015C0000-0x00000000015C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3652-221-0x00000000015C0000-0x00000000015C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3652-225-0x00000000015C0000-0x00000000015C1000-memory.dmp

      Filesize

      4KB

      Download