Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
21-01-2024 06:09
General
-
Target
6c8cb6d8a307774cdd5229cae0a74fa2.js
-
Size
15KB
-
MD5
6c8cb6d8a307774cdd5229cae0a74fa2
-
SHA1
1dae1ca15bdc9eb2d3250f45b612d852c7caefda
-
SHA256
da60503512af869134e5698522fd48d794e650e0749feaf07d120b17f4cccd73
-
SHA512
a494e3240297489819f209c86a98361b27174e853fec3eff9d6959ad8a10efdc6c5f956d668349c8b4a46d3ac1a48fd89426e7e36de33eca74902047d89aca4d
-
SSDEEP
384:s4ws20zJwYx/HaeXI5wRYVShCGO5WJFHuBUlxa:sR0l7o5+8GJJ/Y
Score
10/10
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 18 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\6c8cb6d8a307774cdd5229cae0a74fa2.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\6c8cb6d8a307774cdd5229cae0a74fa2.js2⤵
- Creates scheduled task(s)
-