Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-04-2024 09:28
General
-
Target
ed1957ce99539019ee515eacc3fc2660_JaffaCakes118.js
-
Size
24KB
-
MD5
ed1957ce99539019ee515eacc3fc2660
-
SHA1
b5be73e11582d601693bd9c10225649e6797cf3a
-
SHA256
d6194c1048c3662b838132f3c112c13f01f83ade44f64bda3bfefb1e9297df5f
-
SHA512
2331642a470f72256d0a1b555e978dcf979cbdbd766303f6598aaae8b6aff1c45262d8bebb61b2fbfb7f0f8d687d94f597260421695a933e4bd5025cb58698e7
-
SSDEEP
768:h+lwW99JDfU0KIgr20On+FibSiVOYsWfL2EHbaBfaXD:4ldzDf+S17bXVPsWfL2EYSz
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 17 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ed1957ce99539019ee515eacc3fc2660_JaffaCakes118.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\krCCsOdrEH.js"2⤵
- Drops startup file
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ab66a419e295afe9fcd360bc01ae5d48
SHA1e937b624d370a33c904da35c9ffa349a56863b88
SHA2569c9a4d7893a0d433eff735ed54f2d7db6707c5ca306c2d9c7d642064292ccce3
SHA512b5b9170e3989b3013fe5e9723797a0e090fb3ce134346b0061194a1dab3454cc685b02956bc8bcc27c9163d6b4f4243a141b97607c600d5aee284e641aa7f6b0