Overview

overview

10

Static

static

1

b66fe74731...fe3.js

windows7-x64

10

b66fe74731...fe3.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-03-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b66fe74731233f91d26f03d3ac6c0fe3.js

  • Size

    905KB

  • MD5

    b66fe74731233f91d26f03d3ac6c0fe3

  • SHA1

    450a3eb0ec332e643658bc6a8a5a94fb4b0f41b9

  • SHA256

    877d4d148ddd634c30c781a9da721cec54f83c1cec9ff7995f94ad100c2aedd8

  • SHA512

    c63c7eba2692232e4f8a84f2a6945adcf24187ff3d9ec8f7be29e51b3c2ff3c710b3d2cc6604434c2a6359801301e6fb5fb0f33b0fe1848d1c7d73bdc6f019c5

  • SSDEEP

    24576:zX+2dFxSnM2MtDgnpSZHTWme0+zNh4dxQ3SK:NdOutExfPSK

Score
10/10
adwindvjw0rmpersistencetrojanworm

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\b66fe74731233f91d26f03d3ac6c0fe3.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:2680
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\byuwlpcimg.txt"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.070472627591887225915508536563609202.class
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\system32\cmd.exe
          cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6891638949599636024.vbs
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Windows\system32\cscript.exe
            cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6891638949599636024.vbs
            5⤵
              PID:1924
          • C:\Windows\system32\cmd.exe
            cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6487640820886832411.vbs
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\system32\cscript.exe
              cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6487640820886832411.vbs
              5⤵
                PID:3040
            • C:\Windows\system32\xcopy.exe
              xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
              4⤵
                PID:1184
            • C:\Windows\system32\cmd.exe
              cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7994884487959017211.vbs
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1868
              • C:\Windows\system32\cscript.exe
                cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7994884487959017211.vbs
                4⤵
                  PID:2184
              • C:\Windows\system32\cmd.exe
                cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9070556217866620057.vbs
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2092
                • C:\Windows\system32\cscript.exe
                  cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9070556217866620057.vbs
                  4⤵
                    PID:2196
                • C:\Windows\system32\xcopy.exe
                  xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
                  3⤵
                    PID:1992
                  • C:\Windows\system32\cmd.exe
                    cmd.exe
                    3⤵
                      PID:2272
                    • C:\Windows\system32\reg.exe
                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v cZCSCTaCivp /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\lEEToECCsra\oEKYBoRrkHp.eTbJjF\"" /f
                      3⤵
                      • Adds Run key to start application
                      • Modifies registry key
                      PID:2340
                    • C:\Windows\system32\attrib.exe
                      attrib +h "C:\Users\Admin\lEEToECCsra\*.*"
                      3⤵
                      • Views/modifies file attributes
                      PID:2420
                    • C:\Windows\system32\attrib.exe
                      attrib +h "C:\Users\Admin\lEEToECCsra"
                      3⤵
                      • Views/modifies file attributes
                      PID:2460
                    • C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
                      C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\lEEToECCsra\oEKYBoRrkHp.eTbJjF
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2524
                      • C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
                        C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.39349056601031968542037462189862912.class
                        4⤵
                          PID:308

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\Retrive6891638949599636024.vbs
                    Filesize

                    276B

                    MD5

                    3bdfd33017806b85949b6faa7d4b98e4

                    SHA1

                    f92844fee69ef98db6e68931adfaa9a0a0f8ce66

                    SHA256

                    9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

                    SHA512

                    ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Retrive9070556217866620057.vbs
                    Filesize

                    281B

                    MD5

                    a32c109297ed1ca155598cd295c26611

                    SHA1

                    dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

                    SHA256

                    45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

                    SHA512

                    70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_0.070472627591887225915508536563609202.class
                    Filesize

                    241KB

                    MD5

                    781fb531354d6f291f1ccab48da6d39f

                    SHA1

                    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

                    SHA256

                    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

                    SHA512

                    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js
                    Filesize

                    11KB

                    MD5

                    150efb51ec05bc4a9bbb525397f5f741

                    SHA1

                    be85f05d5a074fa98232cf993fc6f5a7dac9f880

                    SHA256

                    b97357a2422085a44feea1491f88a44e3a9080cef0330a70b6d9cc0f0ed3cd19

                    SHA512

                    e45f7012eb013e53b9a49e239bf7c07a81a08587501674fdb0e6f048edfa904b01138da374ce51b131f1bda952761cc64e317fe453e76d8cf099868a4ad301e5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1658372521-4246568289-2509113762-1000\83aa4cc77f591dfc2374580bbd95f6ba_f4bfc772-1e14-4cb7-967a-2360098b659f
                    Filesize

                    45B

                    MD5

                    c8366ae350e7019aefc9d1e6e6a498c6

                    SHA1

                    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                    SHA256

                    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                    SHA512

                    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\byuwlpcimg.txt
                    Filesize

                    473KB

                    MD5

                    ca4cf45e9499c04f77d54212bb0805c0

                    SHA1

                    296688e7207ddbdd7f0e5096ae9c1993b5ff130b

                    SHA256

                    f8255759c5da02e9b0de11ea93f90f14fc34bb8cd839ff7c4a53a86438b11344

                    SHA512

                    90075be1e95bacdb020504304b79cc1e2fca3eadcffd87d00c16d95ce93922e3b1835b93d0f91874dcfb3dd17b8dafad65c3a258bd95a0e05a237cd4f1691d0b

                    Download Submit

                  • C:\Users\Admin\lEEToECCsra\ID.txt
                    Filesize

                    47B

                    MD5

                    b0455415e8f22f6b3d7ab6795326093d

                    SHA1

                    6a8eedd28471a8bf2be794a4c811f1f1f3ce6bd6

                    SHA256

                    15c3614e801b87c4447264d9664921b3a3f2ecf0e8fbe02f110e1219aa1ee0ad

                    SHA512

                    16b33727e725099a750365e46cb2170f9aa73994e32e3a603ce6c8bf76ec68e57c1b74012b27b26106be2f0ae60130c9fe2a61b3ce46beb909a8356d5ddbddc8

                    Download Submit

                  • memory/2524-125-0x0000000002200000-0x0000000005200000-memory.dmp

                    Filesize

                    48.0MB

                    Download

                  • memory/2524-124-0x0000000000320000-0x0000000000321000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-28-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-104-0x0000000002240000-0x0000000005240000-memory.dmp

                    Filesize

                    48.0MB

                    Download

                  • memory/3028-66-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-74-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-77-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-10-0x0000000002240000-0x0000000005240000-memory.dmp

                    Filesize

                    48.0MB

                    Download

                  • memory/3028-41-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-60-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-118-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3028-114-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3068-105-0x0000000002260000-0x0000000005260000-memory.dmp

                    Filesize

                    48.0MB

                    Download

                  • memory/3068-34-0x0000000000220000-0x0000000000221000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3068-24-0x0000000002260000-0x0000000005260000-memory.dmp

                    Filesize

                    48.0MB

                    Download

                  • memory/3068-57-0x0000000000220000-0x0000000000221000-memory.dmp

                    Filesize

                    4KB

                    Download