Overview

overview

10

Static

static

1

eReceipt.js

windows7-x64

10

eReceipt.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eReceipt.js

  • Size

    23KB

  • MD5

    0a88f3eb9d11b80339b2954140feb7ba

  • SHA1

    1662879c2e251946f7d5497f863220dd91160102

  • SHA256

    422e287276a07bcb879d792e793c47a3720d45ed01216531a49f78aefe17bd91

  • SHA512

    7019a79a66239cb290fe3a6a845386bca020348b72b2b9b28337b839a0b5f2ebb0567211f43381eb1afea4b9c9099b73019d07d7e93f6f5ab2e65adc6c0c7665

  • SSDEEP

    384:tm3uw3mx5W7X/ZIFMzhaPIuYYHqWJUXA7jhSBfoeXG+2FLbP8L5vO97oxEXdf3e:ol2xw7Xe1F2eUXsjEBnt2uZ27oxElu

Score
10/10
vjw0rmexecutionpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Vjw0rm family
    vjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\eReceipt.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aTQVxeggsb.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:4824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\aTQVxeggsb.js
    Filesize

    8KB

    MD5

    4640bf09b44ca4571713b1ecb5178f44

    SHA1

    99abf89b86d719c9a91af0872f6325862a620fbf

    SHA256

    f3f74f1914f4d54063e864afe9c93b28a3ac77bf4aa6306e42c0cedd894fc004

    SHA512

    3b17a47f3bd6bceb57357610f93de1490436bb346c3ac62d1a5bef2d62b6148671aa1bd83e20da33576284a838f7459b205bd87e54d29b04fdf94e24bb371436

    Download Submit