Overview

overview

10

Static

static

1

eReceipt.js

windows7-x64

10

eReceipt.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2024, 13:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eReceipt.js

  • Size

    23KB

  • MD5

    0a88f3eb9d11b80339b2954140feb7ba

  • SHA1

    1662879c2e251946f7d5497f863220dd91160102

  • SHA256

    422e287276a07bcb879d792e793c47a3720d45ed01216531a49f78aefe17bd91

  • SHA512

    7019a79a66239cb290fe3a6a845386bca020348b72b2b9b28337b839a0b5f2ebb0567211f43381eb1afea4b9c9099b73019d07d7e93f6f5ab2e65adc6c0c7665

  • SSDEEP

    384:tm3uw3mx5W7X/ZIFMzhaPIuYYHqWJUXA7jhSBfoeXG+2FLbP8L5vO97oxEXdf3e:ol2xw7Xe1F2eUXsjEBnt2uZ27oxElu

Score
10/10
vjw0rmexecutionpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Vjw0rm family
    vjw0rm
  • Blocklisted process makes network request 18 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aTQVxeggsb.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:2468

Network

  • flag-us
    DNS
    loadcash.duckdns.org
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    loadcash.duckdns.org
    IN A
    Response
    loadcash.duckdns.org
    IN A
    81.161.238.107
  • flag-us
    DNS
    gameserver-789.duia.ro
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    gameserver-789.duia.ro
    IN A
    Response
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 81.161.238.107:7778
    loadcash.duckdns.org
    wscript.exe
    152 B
     120 B
     3
    3
  • 8.8.8.8:53
    loadcash.duckdns.org
    dns
    wscript.exe
    66 B
     82 B
     1
    1

    DNS Request

    loadcash.duckdns.org

    DNS Response

    81.161.238.107

  • 8.8.8.8:53
    gameserver-789.duia.ro
    dns
    wscript.exe
    68 B
     124 B
     1
    1

    DNS Request

    gameserver-789.duia.ro

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\aTQVxeggsb.js
    Filesize

    8KB

    MD5

    4640bf09b44ca4571713b1ecb5178f44

    SHA1

    99abf89b86d719c9a91af0872f6325862a620fbf

    SHA256

    f3f74f1914f4d54063e864afe9c93b28a3ac77bf4aa6306e42c0cedd894fc004

    SHA512

    3b17a47f3bd6bceb57357610f93de1490436bb346c3ac62d1a5bef2d62b6148671aa1bd83e20da33576284a838f7459b205bd87e54d29b04fdf94e24bb371436

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.