vjw0rm | b96dc64b8a8f309058d5a311527a5eddb286f0e0c9b4771a5e52449b45d1c704

Analysis

Target

PaymentReceipt_345.js
Size

27KB
MD5

498ecc30f8856e7c6a509fbc73b86df6
SHA1

4b4fe0f6aeb00eb63ff12953bececc7eb66a78f8
SHA256

b96dc64b8a8f309058d5a311527a5eddb286f0e0c9b4771a5e52449b45d1c704
SHA512

e4aa5cc9a27f7835457218189d360aa1076db51c4de3ccf9979a569175a6ed76d36dfb54c666d9ce9fdb0ffe51759ab053df30f2c5f7674522cda7a78ad137e4

Score

10^/10

vjw0rm trojan worm

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 8 IoCs

Processes:

wscript.exe

flow pid process

5 324 wscript.exe
7 324 wscript.exe
8 324 wscript.exe
9 324 wscript.exe
12 324 wscript.exe
13 324 wscript.exe
14 324 wscript.exe
15 324 wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentReceipt_345.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentReceipt_345.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1992-2-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

Filesize
2.5MB

Download