Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26-12-2023 19:57
General
-
Target
8a64707b027a9b569641b6151c54ba24.js
-
Size
16KB
-
MD5
8a64707b027a9b569641b6151c54ba24
-
SHA1
b34f4dbb2f5b9a34645ea444db51841d9325a8cf
-
SHA256
6e64dbcbe7e1c0e0eb8f4f967b936221c7a6c0185718fe991612e478e22f9cc8
-
SHA512
9cade1e35eca162b7c06529b104db155e7c3a3f62965a88cbc66d709ee17ae7e86f53307b2208829d8c1ed498c96bbc3f73e7935df12b01533b4ef693f900456
-
SSDEEP
384:MweGYgHCLCQr8POER/JmuCOfhYFAFYQhIZGaN+Ce2buvm/vNDe7:umDQr8Wt5O+FBQhyZe2bZo7
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 9 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\8a64707b027a9b569641b6151c54ba24.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NBQpvDxIha.js"2⤵
- Drops startup file
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51807d266a0331297bb3459474f4a78b5
SHA1724d14ff54fa10acdddb4d158c68782388ca3ae6
SHA2560167ce0f367ac05128ac702d9f1b8a853a56e5fc0fa113d53a34266b6de3f1ac
SHA512a980c5db1bfe54a7cf5e091ae79a73240c1d17cc6cdd99b154375921030827cc0494bf8a024d0ba9a22aeb14a0960d8c8011b84683142c72ed7030c01327d132