Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

607e7ae85b...580.js

windows7-x64

10

607e7ae85b...580.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2024, 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    607e7ae85b834c95db9a85d479751580.js

  • Size

    207KB

  • MD5

    607e7ae85b834c95db9a85d479751580

  • SHA1

    185d69ebb99a415f47c83936c3a4ae3da12f7aa6

  • SHA256

    9ef3d03530f8deac1764f12fe8260303fe8a5838e2858999674bf08cf90369e9

  • SHA512

    65c5b4c95a5fe4ca6470a5abd6ef4de2f77fc2ed0638f914227190939d92378109216ea772ebf685858550c9d10586a6660642ae30ea26d3c8833e2ea77e2825

  • SSDEEP

    3072:dLmh3QXXwTHXGsE8UX7vyzdiTqhtU3Pe5lawoZt5btCbYfjtqatzhILnGfw/:UV5H2s1UXWzdiTmU26woT5RJqcIX

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\607e7ae85b834c95db9a85d479751580.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CDImfLjZVm.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:4384
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lfchjduq.txt"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    5aa66ccc0876198b662ced72c65439be

    SHA1

    0e6563b83953ac2983bd77de591efeb569152046

    SHA256

    483c5c2fcbd194dd85c77af36b771e45a7a325ad5fbffce54d183d973eefe524

    SHA512

    2af9500c8b91a90fb5240ad4b7050ff99f3e959a80f8e4baee24c2186b0269aad12f4e2d7e574d1c35ecd38f9362c571b0b514d2b7ad947271a090b2cf947d20

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CDImfLjZVm.js
    Filesize

    10KB

    MD5

    3c42714a2658cc70b45e715b97896d61

    SHA1

    11bdbbe7fe227bf2b06663c4e840c3db2c09200c

    SHA256

    13a0e50640c3bcfbe873da3a4a6483aabfd48cac75840e6b6c4991beb4468df1

    SHA512

    c42cff63543040f6c27d2fd69f2d54d9a69f5674ee842890c657cf1dc674fa5b59aa9d7fc7823a6b984a2930a66287b88f1b7ec87d9ea3bc0ccc1408ec798f5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lfchjduq.txt
    Filesize

    92KB

    MD5

    2e458a59025b390fbdf7d3717314b507

    SHA1

    d5a84f501bfa81682ebde5e31a68794140141785

    SHA256

    6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

    SHA512

    2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

    Download Submit

  • memory/4476-11-0x0000014F33450000-0x0000014F34450000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4476-19-0x0000014F31C60000-0x0000014F31C61000-memory.dmp

    Filesize

    4KB

    Download