Overview

overview

10

Static

static

1

a3b2ac28fb...5a1.js

windows7-x64

10

a3b2ac28fb...5a1.js

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3b2ac28fb71d8461b6c90327fabb5a1.js

  • Size

    904KB

  • MD5

    a3b2ac28fb71d8461b6c90327fabb5a1

  • SHA1

    033bf48edff207df74d6b78410040f391750db8f

  • SHA256

    e33df6ad1c1f683b5fe7dd5edfe1d0f9e246ab41364b3f6ae297e717a5ff8026

  • SHA512

    4174fd12ac86611280ffb1c3afaffbeb1c888f7835747738dba38cce5c75093c6831bb509236839fb67931bc77f925575e418d89bf295e8265d0987b266efc89

  • SSDEEP

    12288:Ms4IgvqEHGaezYf9R/sT1FmyPNweSj0UViZvc7CuvJzQdypXTjafMvjkyK0rcbtb:MND8akYlR/g+XCuBLjyMv4yWjPjb

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\a3b2ac28fb71d8461b6c90327fabb5a1.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:3724
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lwuxrwogxx.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2196
      • C:\Program Files\Java\jre-1.8\bin\java.exe
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.139829475948636825895116590651878677.class
        3⤵
          PID:2680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      46B

      MD5

      49c00ed2c72471a7a032119f6ed708ca

      SHA1

      0fbda1dbc9d4a8b93bbdf4429c825bdbb238748c

      SHA256

      12f2fce8c99dd77864fe8fc12ee2ea8238a5276b561ffe9671697cd0362ed8f8

      SHA512

      6f2dd98e8be1f28f1214cae4fd15c870b97ad040de809e8fd24c9759b30309c399ae498b5476927b2a58fa588997b399d5d320f2d5841b87daf8f691d034aa0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_0.139829475948636825895116590651878677.class
      Filesize

      241KB

      MD5

      781fb531354d6f291f1ccab48da6d39f

      SHA1

      9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

      SHA256

      97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

      SHA512

      3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3791175113-1062217823-1177695025-1000\83aa4cc77f591dfc2374580bbd95f6ba_7b8f07fe-a7f0-4575-9cf9-ed7e955e46ae
      Filesize

      45B

      MD5

      c8366ae350e7019aefc9d1e6e6a498c6

      SHA1

      5731d8a3e6568a5f2dfbbc87e3db9637df280b61

      SHA256

      11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

      SHA512

      33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js
      Filesize

      10KB

      MD5

      1ba75bca44a20a321cea4e496ce91a85

      SHA1

      5a14b44b498f56cbe7b248c537479c845ff465c6

      SHA256

      4035eee1e50075cfcaf233c8d0511dfeeeb01870b1a4baf4a43e9b37a03cc804

      SHA512

      2aaf2cafe8951a03e81d56eadb1d83516a9fc986d7ce6e8aa9a2704da1916feb900b42e271979cdfd0c8852ed2fa17c948a394d3e5977a47e2140fcb2d945481

      Download Submit

    • C:\Users\Admin\AppData\Roaming\lwuxrwogxx.txt
      Filesize

      473KB

      MD5

      57845a03f0630d3fbb9caa203e940935

      SHA1

      9c4bb48d46593af760ddb9aec6160e2f379e99f7

      SHA256

      85e1a1df9973a080afe6a11d338a36994732a40cf9f891ec7f2b69dc56aed19f

      SHA512

      7ede78b67b49d91d13ab3eb642874263899231d1c4fbb1fa5575f8c904f46fb32091986b9bd9f2824859f6e6748f112314e745f0ac858d08f3a3b9b152ee64e1

      Download Submit

    • memory/2680-70-0x0000022E83B90000-0x0000022E83BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-75-0x0000022E83BC0000-0x0000022E83BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-30-0x0000022E83920000-0x0000022E84920000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2680-41-0x0000022E82060000-0x0000022E82061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2680-42-0x0000022E82060000-0x0000022E82061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2680-79-0x0000022E83BE0000-0x0000022E83BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-78-0x0000022E83BD0000-0x0000022E83BE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-74-0x0000022E83BB0000-0x0000022E83BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-71-0x0000022E83BA0000-0x0000022E83BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-12-0x000001AAB0390000-0x000001AAB1390000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4776-77-0x000001AAB0390000-0x000001AAB1390000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4776-22-0x000001AAAEAB0000-0x000001AAAEAB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4776-51-0x000001AAB0390000-0x000001AAB1390000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4776-40-0x000001AAAEAB0000-0x000001AAAEAB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4776-80-0x000001AAAEAB0000-0x000001AAAEAB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4776-82-0x000001AAB0390000-0x000001AAB1390000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4776-85-0x000001AAAEAB0000-0x000001AAAEAB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4776-90-0x000001AAB0390000-0x000001AAB1390000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4776-95-0x000001AAB0390000-0x000001AAB1390000-memory.dmp

      Filesize

      16.0MB

      Download