Overview

overview

10

Static

static

1

RFQ SANOVIT.js

windows7-x64

10

RFQ SANOVIT.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ SANOVIT.js

  • Size

    5.8MB

  • MD5

    68fe8b2c25d14040c66447c5c79a9ada

  • SHA1

    cad211509ce75af931879b13af4f97d1e550f427

  • SHA256

    830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

  • SHA512

    8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f

  • SSDEEP

    24576:KDlDx+TAMOOb5biMkVXTFQRkdgMdsrot/ycPMP4qavnS8CQD+52/UBT6twHHeV1E:X

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 19 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ SANOVIT.js"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:808
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js
    Filesize

    346KB

    MD5

    f512b9328455558e518c93d453b7d6e0

    SHA1

    bf5cf55fae037e024ac2a29497094b4c1e3a8b87

    SHA256

    16d47f03cbf0fff0bef5ff6437179c8b480021abffa9663faa302a3d4a978392

    SHA512

    c41ea1aee8636a4b49a9cce99f77c2ac4f5cc7b7494957beb0579f3370a6268330185ce889c028cfeb557ff3d4922d0370f788bf5104f02cfe8558f65ea1f82d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js
    Filesize

    5.8MB

    MD5

    68fe8b2c25d14040c66447c5c79a9ada

    SHA1

    cad211509ce75af931879b13af4f97d1e550f427

    SHA256

    830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

    SHA512

    8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f

    Download Submit