MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccfa8f60748182d0624626398d29548e4912c930152fd14da7ea172b29953871. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Vjw0rm


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments

SHA256 hash: ccfa8f60748182d0624626398d29548e4912c930152fd14da7ea172b29953871
SHA3-384 hash: 3693698475342e67022e0c728c4188476d93770057653531f7904769576c5418be784715bf6f401492176265cf62a820
SHA1 hash: 8f58c2d8cdf2e45cd8bc2550ad3297bbd411e7f2
MD5 hash: d2f059207365496e0882106890b537fc
humanhash: low-finch-alpha-mars
File name:INV198763.js
Download: download sample
Signature Vjw0rm
File size:502'445 bytes
First seen:2022-06-14 05:31:12 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:npzQXP20n0/sto93mEauaYFzS7r4DyI1XZKGj:nZCP20nCsto93mEauaYFmHKyIhZ
TLSH T12AB45CA86B44A5DDE5688A67F83C3DDA53F2270BC45263CC765F36031B7AF05C389868
Reporter abuse_ch
Tags:js vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
45.137.22.152:8089

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.22.152:8089 https://threatfox.abuse.ch/ioc/696474/

Intelligence


File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive obfuscated obfuscated packed wscript
Result
Threat name:
Nanocore, VjW0rm
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
JavaScript source code contains call to eval containing suspicious API calls
JavaScript source code contains functionality to generate code involving a shell, file or stream
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Wscript called in batch mode (surpress errors)
Yara detected Generic Downloader
Yara detected Nanocore RAT
Yara detected VjW0rm
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 645061 Sample: INV198763.js Startdate: 14/06/2022 Architecture: WINDOWS Score: 100 37 blessed147.ddns.net 2->37 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 14 other signatures 2->57 7 wscript.exe 3 2->7         started        11 wscript.exe 12 2->11         started        14 dhcpmon.exe 3 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 31 C:\Users\user\AppData\Local\...\test147.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Roaming\tFHvkGkOsY.js, ASCII 7->33 dropped 65 System process connects to network (likely due to code injection or exploit) 7->65 67 Benign windows process drops PE files 7->67 69 JScript performs obfuscated calls to suspicious functions 7->69 71 3 other signatures 7->71 18 test147.exe 1 14 7->18         started        23 wscript.exe 2 13 7->23         started        45 franmhort.duia.ro 11->45 35 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 14->35 dropped 47 franmhort.duia.ro 16->47 49 franmhort.duia.ro 16->49 file6 signatures7 process8 dnsIp9 39 blessed147.ddns.net 45.137.22.152, 49766, 49767, 49772 ROOTLAYERNETNL Netherlands 18->39 41 192.168.2.1 unknown unknown 18->41 25 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->25 dropped 27 C:\Users\user\AppData\Roaming\...\run.dat, data 18->27 dropped 59 Antivirus detection for dropped file 18->59 61 Machine Learning detection for dropped file 18->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 43 franmhort.duia.ro 194.5.97.3, 49765, 49768, 49769 DANILENKODE Netherlands 23->43 29 C:\Users\user\AppData\...\tFHvkGkOsY.js, ASCII 23->29 dropped file10 signatures11
Threat name:
Script-JS.Trojan.Cryxos
Status:
Malicious
First seen:
2022-06-14 05:32:05 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:nanocore family:vjw0rm evasion keylogger persistence spyware stealer suricata trojan worm
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Executes dropped EXE
NanoCore
Vjw0rm
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
blessed147.ddns.net:8089
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Double_Base64_Encoded_Executable
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments