Overview

overview

10

Static

static

5

a35e8029ff...18.exe

windows7-x64

10

a35e8029ff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a35e8029ffe51da82af5008f82c1ecb5_JaffaCakes118.exe

  • Size

    5.7MB

  • MD5

    a35e8029ffe51da82af5008f82c1ecb5

  • SHA1

    22b0e92ac081f7630755d2ee640f5e84960f3a82

  • SHA256

    b0b14275a84d2abbf520c389d7e1f2125c50d779ff0072cb6e61a734858f0eb2

  • SHA512

    8189f7fdbdb995ce42d913bcc06c7c36b6e7cbb0e6ce3d757146d8cbad83426d2b63be1fa5fa0bd9f7feee316ae2f074216ae780369d1e5bad9df734ec2c48f1

  • SSDEEP

    98304:f2cPK8lCwxBHuB0XGZzwM+SX4ARTe3O3gzraBt9zZAfUG5+l/Y0zhvgbcoVj:+CKFwJQ0XGqMH4ART6OU+TCUGiWj

Score
10/10
vjw0rmexecutiontrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a35e8029ffe51da82af5008f82c1ecb5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a35e8029ffe51da82af5008f82c1ecb5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\102030.js"
      2⤵
      • Drops startup file
      PID:1756
    • C:\Windows\tcmd920x64.exe
      C:\Windows/tcmd920x64.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aut4DE2.tmp
    Filesize

    4.9MB

    MD5

    42de8d3a823fd6c509a309ba8911ca3b

    SHA1

    d27abd02fe60002cfb60b1c68888a666c48c9142

    SHA256

    1887c4cb3498572965ad813c6b8c7888514f515b9acba14a6618111db1a43260

    SHA512

    303abdc1b5724418f729b4381312896206233a38cecfd6d4b0d54502086725bfa61d7a43483850c4652f023ba9ad7558bd78a34a04f5ec5a01b83c7a60631b5a

    Download Submit

  • C:\Windows\102030.js
    Filesize

    15KB

    MD5

    2cf1f2933c25461abd2a4a8f26961d3a

    SHA1

    e4fa3cc6cff016c79856e860855b570687c2bb9b

    SHA256

    c4f632ea76b51f9e5be0e5d54d8d00d1acc450da73edcfba97ac72ff72e3bde6

    SHA512

    10debd350c164b8e80b4b7792f1067446179ff7fb421ecf98db19304ea49f9936987e98e3b1c27534d2a68bed75a373b4959018fc73af58d7fa5cd9dbf8f6ec0

    Download Submit