Overview

overview

10

Static

static

1

7371063acb...b99.js

windows7-x64

10

7371063acb...b99.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7371063acbfacc81ffdeaeea7e75eb99.js

  • Size

    201KB

  • MD5

    7371063acbfacc81ffdeaeea7e75eb99

  • SHA1

    28ee63662467f1ab7c682eec227b66db7ccadeca

  • SHA256

    6915f06eb48cc9d71dbc136313c6a935b36844641f9b2ae1e85e08ccc74d8e73

  • SHA512

    8b3bebb2cd6f97a49f98e3072393ea6ad2f46e0f4ba4a25b1293c10b1fe75e192800d6b47c60b03680934517e35d2dc6c4786f0122785675e1cc2e247fa292dd

  • SSDEEP

    3072:g4XSfd1uBfPamtsz6VVKDllWtfjKNan1a4Bbn8PUyBJAN:ofPK1fVaWhONi1J78PMN

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\7371063acbfacc81ffdeaeea7e75eb99.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PNIsXqzyQf.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:2172
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rvogfqnfmk.txt"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:4352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    e275d5e743e5cdf7fc5688dceb8019c2

    SHA1

    ade3782f68023c88bbba0f15502673a127cbacde

    SHA256

    836fb0df6a17a0f8489cf5ced0d0984ce2bf9e04b6bfba61ce451acae6bf6efd

    SHA512

    8dbdf4f6e3a5a5e951338d646018781ec6faaa93f217428ba9a37301edd4fa23158fe854500ddccba5a9af327b461c1a4e98af0d4903bc6517ffd2d5dbf0e662

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PNIsXqzyQf.js
    Filesize

    9KB

    MD5

    93451bfa41b44af1f45d80b9feb2a73d

    SHA1

    ea15542e8ebf859d751de6af1af3966d73a16f1a

    SHA256

    9ee8fb95e2771cf84659aa10cfa773a90ba5d58b577f489ec808d6fce7fbd6cb

    SHA512

    145be16dfce485c7c32077689c581e06f8bc1af9bc0f1e2fb8e02ddd7eafc11f5fa8a7a263e09bde4ee89d68bee4486cc8ccd939a15113b467ccadc42e4a1cbd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rvogfqnfmk.txt
    Filesize

    92KB

    MD5

    06f61cd3d0cdf9257fcdac6483d4c1ba

    SHA1

    f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f

    SHA256

    424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f

    SHA512

    9aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657

    Download Submit

  • memory/2500-35-0x000001B4CBB10000-0x000001B4CBB11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2500-24-0x000001B4CD360000-0x000001B4CE360000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2500-26-0x000001B4CBB10000-0x000001B4CBB11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2500-10-0x000001B4CD360000-0x000001B4CE360000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2500-39-0x000001B4CD360000-0x000001B4CE360000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2500-52-0x000001B4CD360000-0x000001B4CE360000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2500-56-0x000001B4CD360000-0x000001B4CE360000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2500-60-0x000001B4CD360000-0x000001B4CE360000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2500-59-0x000001B4CBB10000-0x000001B4CBB11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2500-87-0x000001B4CBB10000-0x000001B4CBB11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2500-91-0x000001B4CBB10000-0x000001B4CBB11000-memory.dmp

    Filesize

    4KB

    Download