Analysis
-
max time kernel
263s -
max time network
263s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
21-07-2023 13:24
General
-
Target
Spécifications de la commande.js
-
Size
26KB
-
MD5
890730ddebf9affaebc94bd26ca5ba14
-
SHA1
184fd52a0525b68c964f2b1c68fc7ed0f93a41b2
-
SHA256
822b0e065dd9e5bb4441ab4e7641f73e34d240272b2c664141d07abdd0ed7f2d
-
SHA512
77220a8c9c38a2fd5bf31243e52ea9eb50429cd2554b7709d19beae64076208b10bdb9e4e76cee2a931a871a763a5a7a7b4adefb18c7eaeac7b38fc1e7c6476a
-
SSDEEP
768:LqWqIHKOv52EIhyW3ub2SlnnPYEJr8sv/hFXpMkdDkyO:LqWzHB5GhbuqSlnwj+JppMcIyO
Malware Config
Extracted
vjw0rm
http://severdops.ddns.net:5050
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 5 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Spécifications de la commande.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Spécifications de la commande.js2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\9296npt.exe"C:\Users\Admin\AppData\Local\Temp\9296npt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5b1affb57489ac0718bfdb5ad86127f91
SHA15f28f824aab6d4132f5ecd4829cdff79e4e550ec
SHA256347d8a0ebcc67f3321145f4a676cf54d7f9a15b57a102a2b5b1c78c2869226c4
SHA5126119180703e4c1062bcace0de111f7f126bc5aab28f839f52c4cae65f6afdc538bf7d1287b1dddd3290f56c769ee07274b37cefe1f90135ac34e2ea23c57be0f
-
Filesize
274KB
MD5b1affb57489ac0718bfdb5ad86127f91
SHA15f28f824aab6d4132f5ecd4829cdff79e4e550ec
SHA256347d8a0ebcc67f3321145f4a676cf54d7f9a15b57a102a2b5b1c78c2869226c4
SHA5126119180703e4c1062bcace0de111f7f126bc5aab28f839f52c4cae65f6afdc538bf7d1287b1dddd3290f56c769ee07274b37cefe1f90135ac34e2ea23c57be0f
-
Filesize
274KB
MD5b1affb57489ac0718bfdb5ad86127f91
SHA15f28f824aab6d4132f5ecd4829cdff79e4e550ec
SHA256347d8a0ebcc67f3321145f4a676cf54d7f9a15b57a102a2b5b1c78c2869226c4
SHA5126119180703e4c1062bcace0de111f7f126bc5aab28f839f52c4cae65f6afdc538bf7d1287b1dddd3290f56c769ee07274b37cefe1f90135ac34e2ea23c57be0f
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3