Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31-12-2023 04:59
General
-
Target
2921078ffa801cc6b1f03e43ecc21969.js
-
Size
32KB
-
MD5
2921078ffa801cc6b1f03e43ecc21969
-
SHA1
906058e1e1ce4d586426ae1ad70d971f3da83a17
-
SHA256
4dcdeee1e442d12f58dd818e95c31f562d34546c4d61618f7e6322a8c2b5fa0e
-
SHA512
92cf75cd46faf4b277145bb5a288aa766ba0154a26a7f2def79b33b758847df2a72d7adec103b358a7ef5b09d6a988327c70729903acef394faeea259d99fa35
-
SSDEEP
768:At0LO4yXv+UWSPb+C6qHOteIy4KUubJ2J01Zalb8Y03l83:Q06+UWDcOteXAJkZalwU
Score
10/10
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2921078ffa801cc6b1f03e43ecc21969.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\TN.vbs"2⤵
- Blocklisted process makes network request
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.js"2⤵
- Drops startup file
- Adds Run key to start application
-