Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 18:08

General

  • Target

    JaffaCakes118_b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0.js

  • Size

    18KB

  • MD5

    1d9327d69fd263ac645b6a4eef31cb24

  • SHA1

    3cff6c8d464e8c254048635dd68e31225ffcb6e4

  • SHA256

    b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0

  • SHA512

    50cf6ff55a3f73803b4b1313c029e08e66e62ff6de1fd839fec21aecc09d30254616a3b8aab271828a7a69f4835d155ee4af53bb3c4daaa3b4a1cb2305409e2f

  • SSDEEP

    192:XppRDuksQVaQ3bBcaJQYkobtD07DX5sRqvex8aIxjPyeUuKGwSfb+U0Sl2c2fgYS:XvvpaQ3bC9voUDXYHyjPw//9gRL

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Vjw0rm family
  • Blocklisted process makes network request 16 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\amqolYPJMq.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\amqolYPJMq.js

    Filesize

    10KB

    MD5

    3f7b92769fc59d8adc125b4d4e8adee4

    SHA1

    b3ea6913dcf3681572a1db1f429cc5e1e49b060e

    SHA256

    e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209

    SHA512

    659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f