Overview

overview

10

Static

static

1

23d1f183e5...813.js

windows7-x64

10

23d1f183e5...813.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23d1f183e50e7ea2393fa5eded265813.js

  • Size

    32KB

  • MD5

    23d1f183e50e7ea2393fa5eded265813

  • SHA1

    a85f64b11fe641fd18bb4b79f2779b11dd4c0869

  • SHA256

    47fd8e31ecf0c8243056163d6e17962156875c680d534756f4155e478526d2bb

  • SHA512

    740fd98898e225fe70f107c21eab6867436054e152e58828be39f0de022fc670150add5b6034a3bae3b91af91dacbfb230d47732c4b4fb7bfefee8a0175fef43

  • SSDEEP

    768:Ic41Uru47JvsonG/SOWrey516BGpJiuoEY03l83:4UFUoTezMpJiqU

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\23d1f183e50e7ea2393fa5eded265813.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\VLK.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2576
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:4412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VLK.vbs
    Filesize

    2KB

    MD5

    6dfc3b5e6d03b18f354fca422f625c72

    SHA1

    b62e9bd385f2ab06fc0fa0bcf48ef41b6cd5bc1d

    SHA256

    2f47caad055b12872d1501f273fe4b86bb641a1f9c1f257dcb0c12f70c1870a9

    SHA512

    65dc64def37722cadd37bd0020d18b30697fe36a5a402f775d4bf3975066064264189cb39d09d25d57cfe86ef33b1ce1b16aa8ae8c780bb4e6e80fd794fa0ba9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js
    Filesize

    10KB

    MD5

    ef6faacbf40e1fe1de245177065a4f68

    SHA1

    d3d4baa744b10d39ddb7b4e048e18149d689e47c

    SHA256

    5b5fe15c592a94116c3aca25c92c8e17b16245898bb3557a620449a16091a2d9

    SHA512

    dbd55abb487f5860ea4d8517092acd80c508aa69b9a6f6876465d80d5cb8dfdaed02619f6459c23a43781da6d23efc3998a1f9b4c11e2ddbe5b4b1e36a5af9ab

    Download Submit