Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29-12-2024 13:12
General
-
Target
eReceipt.js
-
Size
23KB
-
MD5
0a88f3eb9d11b80339b2954140feb7ba
-
SHA1
1662879c2e251946f7d5497f863220dd91160102
-
SHA256
422e287276a07bcb879d792e793c47a3720d45ed01216531a49f78aefe17bd91
-
SHA512
7019a79a66239cb290fe3a6a845386bca020348b72b2b9b28337b839a0b5f2ebb0567211f43381eb1afea4b9c9099b73019d07d7e93f6f5ab2e65adc6c0c7665
-
SSDEEP
384:tm3uw3mx5W7X/ZIFMzhaPIuYYHqWJUXA7jhSBfoeXG+2FLbP8L5vO97oxEXdf3e:ol2xw7Xe1F2eUXsjEBnt2uZ27oxElu
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Vjw0rm family
-
Blocklisted process makes network request 18 IoCs
-
Drops startup file 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aTQVxeggsb.js"2⤵
- Drops startup file
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD54640bf09b44ca4571713b1ecb5178f44
SHA199abf89b86d719c9a91af0872f6325862a620fbf
SHA256f3f74f1914f4d54063e864afe9c93b28a3ac77bf4aa6306e42c0cedd894fc004
SHA5123b17a47f3bd6bceb57357610f93de1490436bb346c3ac62d1a5bef2d62b6148671aa1bd83e20da33576284a838f7459b205bd87e54d29b04fdf94e24bb371436