Overview

overview

10

Static

static

1

swift copy.PDF.js

windows7-x64

10

swift copy.PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2023 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swift copy.PDF.js

  • Size

    453KB

  • MD5

    811a102d237ae380b2d9517fa79f2c6d

  • SHA1

    17ff05d6c71c7c3f27be24cfd46b9653de9f67f2

  • SHA256

    47ac55851c62e30f0553a5d32f2b6a128f532b9904fbf5e100b53895ec8a86ca

  • SHA512

    3fcd5e98e5dbe0fb529ca77592bc012bc8560173114dfa754d363fe621b9336485a74fa48bd8bca4f676bfc91c2dc8ad5bc69c9a3b275b02722ec4e932688680

  • SSDEEP

    6144:N5gPKUmu6hIe4UhL60X4dOvNJ38QJfJiDzh8qQESvpWvnR4Rt1Prz2fLFh2WR:N56fmu6mUhZVJ1J8DnRvAtlf2

Score
10/10
vjw0rmtrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://jemyy.theworkpc.com:5401

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\swift copy.PDF.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ECqEVMhpHV.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2440
      • C:\Users\Admin\AppData\Roaming\bin.exe
        "C:\Users\Admin\AppData\Roaming\bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1752
    • C:\Windows\SysWOW64\ktmutil.exe
      "C:\Windows\SysWOW64\ktmutil.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\wteta.zip
      Filesize

      474KB

      MD5

      af10a982a2ef91c9787106eea1a0cc4a

      SHA1

      00435a36f5e6059287cde2cebb2882669cdba3a5

      SHA256

      e028068b067e5e60fa5680b0bafa48a31287b6d614ee0b92df51cce23b974099

      SHA512

      73d0d3034405527798b854dc33fc608c7ccf0af1689e139af4bbb5a5324dc0748bdc2bf632468745920dc7be4eb7f0240d3cf1b5872d3f5c0c897725db78bf9f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ECqEVMhpHV.js
      Filesize

      7KB

      MD5

      d7f1bd09dc54cdb298d18b01c350daad

      SHA1

      14389215c04486782b191d7e717604d47b4855f5

      SHA256

      1d15ca695084184b5e58a8ea3776bb5c8d2972c1d22d8ba0ded53b00bae8807b

      SHA512

      4fc09bf5626f1ce47a6b66b64bf9c3f22545ce481161f9b2c5e9fdc302d4d5b3e7acfd549bb24ec1405e4d93b3727abd301d957f32d44ed8d6d5cb3af7f8d976

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bin.exe
      Filesize

      244KB

      MD5

      191c89bfc7613125182be0c6f7dc0828

      SHA1

      1f856de98621182f9885f5ceb5017806a48a19f6

      SHA256

      0b5a9848fa4433d737febc05dafaa4f8db69d2605c8014a616fac6c4abc69c53

      SHA512

      a1d22bfe1716682d00ae6dce97d2da37c33fcfc40a10da745f23abd837042e0016e651cabd9e12979dd2a0eb055c7f41c0d7ad8bafefb07e8203d3d4ef1f6550

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bin.exe
      Filesize

      244KB

      MD5

      191c89bfc7613125182be0c6f7dc0828

      SHA1

      1f856de98621182f9885f5ceb5017806a48a19f6

      SHA256

      0b5a9848fa4433d737febc05dafaa4f8db69d2605c8014a616fac6c4abc69c53

      SHA512

      a1d22bfe1716682d00ae6dce97d2da37c33fcfc40a10da745f23abd837042e0016e651cabd9e12979dd2a0eb055c7f41c0d7ad8bafefb07e8203d3d4ef1f6550

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bin.exe
      Filesize

      244KB

      MD5

      191c89bfc7613125182be0c6f7dc0828

      SHA1

      1f856de98621182f9885f5ceb5017806a48a19f6

      SHA256

      0b5a9848fa4433d737febc05dafaa4f8db69d2605c8014a616fac6c4abc69c53

      SHA512

      a1d22bfe1716682d00ae6dce97d2da37c33fcfc40a10da745f23abd837042e0016e651cabd9e12979dd2a0eb055c7f41c0d7ad8bafefb07e8203d3d4ef1f6550

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      904KB

      MD5

      5e5ba61531d74e45b11cadb79e7394a1

      SHA1

      677224e14aac9dd35f367d5eb1704b36e69356b8

      SHA256

      99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

      SHA512

      712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

      Download Submit

    • memory/1192-28-0x0000000003F80000-0x000000000403C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1192-26-0x0000000003F80000-0x000000000403C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1192-25-0x0000000003F80000-0x000000000403C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1752-13-0x00000000013A0000-0x00000000013DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1752-15-0x0000000000180000-0x000000000019B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1752-18-0x00000000013A0000-0x00000000013DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1752-19-0x0000000000180000-0x000000000019B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1752-9-0x00000000013A0000-0x00000000013DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1752-10-0x00000000013A0000-0x00000000013DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1752-12-0x0000000000860000-0x0000000000B63000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1752-14-0x00000000013A0000-0x00000000013DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2816-20-0x0000000001EC0000-0x00000000021C3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2816-24-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2816-23-0x0000000000510000-0x00000000005AA000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2816-27-0x0000000000510000-0x00000000005AA000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2816-16-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2816-22-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2816-17-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2816-69-0x0000000061E00000-0x0000000061ECE000-memory.dmp

      Filesize

      824KB

      Download