Resubmissions

09-01-2025 16:47

250109-vang5avlcx 10

09-01-2025 10:36

250109-mm9xwszlap 10

Analysis

  • max time kernel
    873s
  • max time network
    889s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09-01-2025 16:47

General

  • Target

    sus.js

  • Size

    5KB

  • MD5

    5ffa64bc687da9b568eaaca857db1a1f

  • SHA1

    5593dcbaee25124b49a9bd76a491c53cefb54acb

  • SHA256

    f494422ec0931062c6fd39171b0363299073cb78b18209b11fe36f1c3065f8d6

  • SHA512

    5ec4704d2da3c221d8dcf4df7adb2845e1ccafce689d33141c3bbd8bd702355e71fc91e9e5b5c2f763c6b76c05f33c401004d085608147dd720da31db834399a

  • SSDEEP

    96:SABNo5DRk2c24ZRMHXE6/BI0w+Ys+fJrDdQqR7bJyKIROS4Uu/ingHXRZfzYMe/d:zSa2c24ZRMlBI0TYs+fJXfRfNJingHXm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Vjw0rm family
  • Blocklisted process makes network request 32 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\sus.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Public\sus.js
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:556
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=1912,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8
    1⤵
      PID:2284
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3736,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8
      1⤵
        PID:2084
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4376,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:8
        1⤵
          PID:4556

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads