Overview

overview

10

Static

static

1

629f8999b4...407.js

windows7-x64

10

629f8999b4...407.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2024 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    629f8999b4ec2a1bc2ae34acb1c13407.js

  • Size

    202KB

  • MD5

    629f8999b4ec2a1bc2ae34acb1c13407

  • SHA1

    ba6f828410418a011505ecc46531f8e41d7c8aa7

  • SHA256

    a9d56c2aaf9c1885ac43e22fb44a03fd7c5bfb279e085877028f5aae9c898901

  • SHA512

    f04832457db6157b6c209af2b12352210b962146f69150316958df28a6765be1109f0fe72123bef3a05f612b6493e84a02a5148f706bf84c982b758c79933b2f

  • SSDEEP

    3072:AVq6TAShnhRrF+Uyd2mfrZcvCU2fRxF/bIJFnrYoQNpUBARmXgjn2yPAvnX7EMv:QTtRrFCdLfSR2f9/egMimGPQnXoMv

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\629f8999b4ec2a1bc2ae34acb1c13407.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\StbzgazmPv.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:1504
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dxmghjnp.txt"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:3444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    38aa240c8ae9f869b1a0301748b4dab8

    SHA1

    6d7397e27ebf32ff826f4b2dc4f38f4aa9a7aba9

    SHA256

    ecbbbaa87be1bbc81dc40bd57960e6b63d7ff686ad88d78b1f5c7b3c061656d4

    SHA512

    9e47064dbbb18a7729ca6c40202ddeef13b96a1fec36b459b051f0b8ef6a44ba898572a46c95705e4d68f4b3dd9cce1fce2e83f521f7d7e4c3b16d10ada7ed17

    Download Submit

  • C:\Users\Admin\AppData\Roaming\StbzgazmPv.js
    Filesize

    9KB

    MD5

    fa19afbc5cae56e8abe0b5f32a84ccf0

    SHA1

    917e052d1678736ba36b00e21158fc6ac40a87ca

    SHA256

    c03bf55f0715436228bfb0f1206098fb3c8308e0d0702a1e62d5ca120871666c

    SHA512

    649641cd45730d9224588946894b0ee0145e32e971eb08c86d28092fbc611be09e5fed696f96e2170b8ae83a3970dadbb8a1c40290ded11127b716aadc97d6b4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dxmghjnp.txt
    Filesize

    92KB

    MD5

    e6530493fa7a2b8c9decd6ff933142f5

    SHA1

    da2b954fb7a838ead9ff88d1dc15de0348d8415a

    SHA256

    9c84bb45a54ef6c903b56cf829fecbdeaaadc8ef59cef8077265953aad655756

    SHA512

    aae36f8c48037dabdc70badd15722c765dc9b349c1a9b41dc8a0ecaa6d95c283f9cfa4bc9e3fc07b60947b7467be85f4b91f053cc6d5d143f5dde4a15fd3994f

    Download Submit

  • memory/624-11-0x00000201CAB10000-0x00000201CBB10000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/624-19-0x00000201C9340000-0x00000201C9341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-24-0x00000201CAB10000-0x00000201CBB10000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/624-26-0x00000201CAD90000-0x00000201CADA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/624-27-0x00000201CADA0000-0x00000201CADB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/624-28-0x00000201CAB10000-0x00000201CBB10000-memory.dmp

    Filesize

    16.0MB

    Download