Overview

overview

10

Static

static

1

RFQ SANOVIT.js

windows7-x64

10

RFQ SANOVIT.js

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ SANOVIT.js

  • Size

    5.8MB

  • MD5

    68fe8b2c25d14040c66447c5c79a9ada

  • SHA1

    cad211509ce75af931879b13af4f97d1e550f427

  • SHA256

    830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

  • SHA512

    8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f

  • SSDEEP

    24576:KDlDx+TAMOOb5biMkVXTFQRkdgMdsrot/ycPMP4qavnS8CQD+52/UBT6twHHeV1E:X

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 18 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ SANOVIT.js"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3836
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js
    Filesize

    346KB

    MD5

    f512b9328455558e518c93d453b7d6e0

    SHA1

    bf5cf55fae037e024ac2a29497094b4c1e3a8b87

    SHA256

    16d47f03cbf0fff0bef5ff6437179c8b480021abffa9663faa302a3d4a978392

    SHA512

    c41ea1aee8636a4b49a9cce99f77c2ac4f5cc7b7494957beb0579f3370a6268330185ce889c028cfeb557ff3d4922d0370f788bf5104f02cfe8558f65ea1f82d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ SANOVIT.js
    Filesize

    5.6MB

    MD5

    9d777f915ec706b342f0417ccf43891f

    SHA1

    03b22a244eaba02e19bd62be51afc3c37f587004

    SHA256

    ba305584a00792886a28f0a414cdb5ab8dfec81f25bb97e651f9c57cd25e7690

    SHA512

    24797500a0d99258ed7b2bd9cd7d45847a898815a15e0787932342fd940c300726cb31b7141372cb4ca54fa1a9fffe5f8694256b758bc636f1e2760f265eeff1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ SANOVIT.js
    Filesize

    4.8MB

    MD5

    eb47ce37a2c04ee8779dc5d7d6a24101

    SHA1

    f73609df23e3888c0a829dafdb10aeeae50f1395

    SHA256

    82f8a60c707ae9c13cd77d617a722511696e446c246742978d715a7b48d4f4f3

    SHA512

    6ba5bc76aa451bb05e1b042d796e1abfc3d20a0cc12ac69c31d4dfe6a58045cc4090c2cfb2e33c4792de375b00299ab80ffe3b60564c08cdec69773713198d13

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js
    Filesize

    5.8MB

    MD5

    68fe8b2c25d14040c66447c5c79a9ada

    SHA1

    cad211509ce75af931879b13af4f97d1e550f427

    SHA256

    830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

    SHA512

    8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f

    Download Submit