Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

b66fe74731...fe3.js

windows7-x64

10

b66fe74731...fe3.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b66fe74731233f91d26f03d3ac6c0fe3.js

  • Size

    905KB

  • MD5

    b66fe74731233f91d26f03d3ac6c0fe3

  • SHA1

    450a3eb0ec332e643658bc6a8a5a94fb4b0f41b9

  • SHA256

    877d4d148ddd634c30c781a9da721cec54f83c1cec9ff7995f94ad100c2aedd8

  • SHA512

    c63c7eba2692232e4f8a84f2a6945adcf24187ff3d9ec8f7be29e51b3c2ff3c710b3d2cc6604434c2a6359801301e6fb5fb0f33b0fe1848d1c7d73bdc6f019c5

  • SSDEEP

    24576:zX+2dFxSnM2MtDgnpSZHTWme0+zNh4dxQ3SK:NdOutExfPSK

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\b66fe74731233f91d26f03d3ac6c0fe3.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:1772
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dmaxpuarw.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2140
      • C:\Program Files\Java\jre-1.8\bin\java.exe
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.57317267645937223680139123917565559.class
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    d6003ea6fb4cd9bf8104f53671f0c65f

    SHA1

    5f91eefa838c6bff48bcb359045c01f17d0bd1fc

    SHA256

    9bd8b8f1e13a4853a2cef21d925b14adc0a1f8ad1583e2bea679b70d8f419516

    SHA512

    58ec2379358d5160a36845c08e3654ad0d149c82be794f06de5ac2e4e535c919280fecabc00bacce43a4699c3e6ecbfc71892d6d364fe86eb2919516a2d5b5cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_0.57317267645937223680139123917565559.class
    Filesize

    241KB

    MD5

    781fb531354d6f291f1ccab48da6d39f

    SHA1

    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

    SHA256

    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

    SHA512

    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js
    Filesize

    11KB

    MD5

    150efb51ec05bc4a9bbb525397f5f741

    SHA1

    be85f05d5a074fa98232cf993fc6f5a7dac9f880

    SHA256

    b97357a2422085a44feea1491f88a44e3a9080cef0330a70b6d9cc0f0ed3cd19

    SHA512

    e45f7012eb013e53b9a49e239bf7c07a81a08587501674fdb0e6f048edfa904b01138da374ce51b131f1bda952761cc64e317fe453e76d8cf099868a4ad301e5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-566096764-1992588923-1249862864-1000\83aa4cc77f591dfc2374580bbd95f6ba_2935d258-24ea-4115-bc36-d204b07adb8d
    Filesize

    45B

    MD5

    c8366ae350e7019aefc9d1e6e6a498c6

    SHA1

    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

    SHA256

    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

    SHA512

    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dmaxpuarw.txt
    Filesize

    473KB

    MD5

    ca4cf45e9499c04f77d54212bb0805c0

    SHA1

    296688e7207ddbdd7f0e5096ae9c1993b5ff130b

    SHA256

    f8255759c5da02e9b0de11ea93f90f14fc34bb8cd839ff7c4a53a86438b11344

    SHA512

    90075be1e95bacdb020504304b79cc1e2fca3eadcffd87d00c16d95ce93922e3b1835b93d0f91874dcfb3dd17b8dafad65c3a258bd95a0e05a237cd4f1691d0b

    Download Submit

  • memory/628-43-0x000002AC494E0000-0x000002AC4A4E0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/628-95-0x000002AC47C10000-0x000002AC47C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/628-97-0x000002AC47C10000-0x000002AC47C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/628-23-0x000002AC47C10000-0x000002AC47C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/628-24-0x000002AC47C10000-0x000002AC47C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/628-11-0x000002AC494E0000-0x000002AC4A4E0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/628-62-0x000002AC494E0000-0x000002AC4A4E0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/628-71-0x000002AC494E0000-0x000002AC4A4E0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/628-73-0x000002AC47C10000-0x000002AC47C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/628-80-0x000002AC47C10000-0x000002AC47C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-47-0x0000022FA5E50000-0x0000022FA5E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-81-0x0000022FA5E50000-0x0000022FA5E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-96-0x0000022FA5E50000-0x0000022FA5E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-27-0x0000022FA7720000-0x0000022FA8720000-memory.dmp

    Filesize

    16.0MB

    Download