Overview

overview

10

Static

static

1

23d1f183e5...813.js

windows7-x64

10

23d1f183e5...813.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 02:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23d1f183e50e7ea2393fa5eded265813.js

  • Size

    32KB

  • MD5

    23d1f183e50e7ea2393fa5eded265813

  • SHA1

    a85f64b11fe641fd18bb4b79f2779b11dd4c0869

  • SHA256

    47fd8e31ecf0c8243056163d6e17962156875c680d534756f4155e478526d2bb

  • SHA512

    740fd98898e225fe70f107c21eab6867436054e152e58828be39f0de022fc670150add5b6034a3bae3b91af91dacbfb230d47732c4b4fb7bfefee8a0175fef43

  • SSDEEP

    768:Ic41Uru47JvsonG/SOWrey516BGpJiuoEY03l83:4UFUoTezMpJiqU

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\23d1f183e50e7ea2393fa5eded265813.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:2208
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\VLK.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2740

Network

  • flag-us
    DNS
    javaslinns.duia.ro
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    javaslinns.duia.ro
    IN A
    Response
  • 194.5.98.75:5742
    wscript.exe
    152 B
     3
  • 194.5.98.75:5742
    wscript.exe
    152 B
     3
  • 194.5.98.75:5742
    wscript.exe
    152 B
     3
  • 194.5.98.75:5742
    wscript.exe
    152 B
     3
  • 194.5.98.75:5742
    wscript.exe
    152 B
     3
  • 194.5.98.75:5742
    wscript.exe
    152 B
     3
  • 194.5.98.75:5742
    wscript.exe
    52 B
     1
  • 8.8.8.8:53
    javaslinns.duia.ro
    dns
    wscript.exe
    64 B
     120 B
     1
    1

    DNS Request

    javaslinns.duia.ro

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VLK.vbs
    Filesize

    2KB

    MD5

    6dfc3b5e6d03b18f354fca422f625c72

    SHA1

    b62e9bd385f2ab06fc0fa0bcf48ef41b6cd5bc1d

    SHA256

    2f47caad055b12872d1501f273fe4b86bb641a1f9c1f257dcb0c12f70c1870a9

    SHA512

    65dc64def37722cadd37bd0020d18b30697fe36a5a402f775d4bf3975066064264189cb39d09d25d57cfe86ef33b1ce1b16aa8ae8c780bb4e6e80fd794fa0ba9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js
    Filesize

    10KB

    MD5

    ef6faacbf40e1fe1de245177065a4f68

    SHA1

    d3d4baa744b10d39ddb7b4e048e18149d689e47c

    SHA256

    5b5fe15c592a94116c3aca25c92c8e17b16245898bb3557a620449a16091a2d9

    SHA512

    dbd55abb487f5860ea4d8517092acd80c508aa69b9a6f6876465d80d5cb8dfdaed02619f6459c23a43781da6d23efc3998a1f9b4c11e2ddbe5b4b1e36a5af9ab

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.