Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9154158d95...529.js

windows7-x64

10

9154158d95...529.js

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9154158d95df39303de36b475a790529.js

  • Size

    207KB

  • MD5

    9154158d95df39303de36b475a790529

  • SHA1

    b79ad43d110887b9302bbfca092517a1fb0f43f3

  • SHA256

    ce8e23a1309e4fbe54a48d36c5c68af97df72073acce4a930df3246a34a75f32

  • SHA512

    de36f4d45c7b03f8cb70498bfd7a9285303814eb20a9a7f09a7855db6daacf817e4e6a0f63f6e63dd46b8bff7d4704155daa4fb2e9ca5a4902957dead3ee7a82

  • SSDEEP

    6144:Fsz4hHiD3tMMqaMqKg+CJpjEwIjzHAOweb:FfimpXUJpa3r

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\9154158d95df39303de36b475a790529.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WOChiHyFPM.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:940
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ypoxbwojq.txt"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:4916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    55644bb2e65b1ea504fc4eeb028b83e1

    SHA1

    226cc4d5f8843f29f00a727d48559e1ca47afc07

    SHA256

    6cb261b10133750f5a02dccf5ae96c3d50fae9ad3b62e8d80f4adbf70d4969ee

    SHA512

    085c7d12c25f6c95963ee54283b0f6240530b4f0b8223b418e3384c2883c5dce7013e5e4c32231cace4937d1e8a54252b3e7a06e106512363287e73e92777392

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WOChiHyFPM.js
    Filesize

    10KB

    MD5

    5f1405a47e8cf0bc0188332a4a791761

    SHA1

    638fe4be43f13d79266be5ee35b7879fdeafc71a

    SHA256

    d9d12a49414db2909da558bed4013e0987fe61140f3c4e17501800ac32d422f7

    SHA512

    d2e722dea389123c24534bc661352a7bf42188b47428bb24f1507db4b68f0d47e49b3f95d8cab3f7d5470aa31f51fa72be5d63a4560e785d04860d2a5bd54313

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ypoxbwojq.txt
    Filesize

    92KB

    MD5

    2e458a59025b390fbdf7d3717314b507

    SHA1

    d5a84f501bfa81682ebde5e31a68794140141785

    SHA256

    6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

    SHA512

    2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

    Download Submit

  • memory/2608-11-0x0000018066720000-0x0000018067720000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2608-19-0x0000018066700000-0x0000018066701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-27-0x00000180669B0000-0x00000180669C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2608-26-0x0000018066720000-0x0000018067720000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2608-28-0x00000180669A0000-0x00000180669B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2608-29-0x00000180669C0000-0x00000180669D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2608-30-0x0000018066720000-0x0000018067720000-memory.dmp

    Filesize

    16.0MB

    Download