Overview

overview

10

Static

static

1

Invoice PaymentPDF.js

windows7-x64

10

Invoice PaymentPDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2023, 10:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice PaymentPDF.js

  • Size

    5KB

  • MD5

    cb4d973520751a756027af396ef263fb

  • SHA1

    c6d0ac4edf12a65eedbbe387d8add54a7c0798ae

  • SHA256

    bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db

  • SHA512

    2ac46c69347e7c093c6fd7044cbf543193afaac790626410db98d0ec1020ff39e4b0eab0d3070380c0e4d5409547ef5530b035970e29cbbbef97b098f58fb9e7

  • SSDEEP

    96:SABNo5Dyk2c24ZRMHXE6/BIL+Ys+fJ/nDdQqR7bJyKUxvUu/ingHXRZfzYMe/jFT:zSz2c24ZRMlBIaYs+fJ7fRfWingHXRZe

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://172.245.244.118:7070

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice PaymentPDF.js"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:3884

Network

  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:38:03 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:38:14 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:38:25 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:38:43 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:38:54 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:39:08 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:39:25 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:39:41 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:39:59 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 21 Oct 2023 10:40:15 GMT
  • flag-us
    POST
    http://172.245.244.118:7070/Vre
    wscript.exe
    Remote address:
    172.245.244.118:7070
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: jw_C4481AD5\HNFOSCDF\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: 172.245.244.118:7070
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    DNS
    29.81.57.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.81.57.23.in-addr.arpa
    IN PTR
    Response
    29.81.57.23.in-addr.arpa
    IN PTR
    a23-57-81-29deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    118.244.245.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    118.244.245.172.in-addr.arpa
    IN PTR
    Response
    118.244.245.172.in-addr.arpa
    IN PTR
    172-245-244-118-host colocrossingcom
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.189.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.189.79.40.in-addr.arpa
    IN PTR
    Response
  • 172.245.244.118:7070
    http://172.245.244.118:7070/Vre
    http
    wscript.exe
    4.2kB
     2.1kB
     23
    22

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre

    HTTP Response

    200

    HTTP Request

    POST http://172.245.244.118:7070/Vre
  • 8.8.8.8:53
    29.81.57.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    29.81.57.23.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    118.244.245.172.in-addr.arpa
    dns
    74 B
     125 B
     1
    1

    DNS Request

    118.244.245.172.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    58.189.79.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    58.189.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.