vjw0rm | cebe7e5f4f23305a16a6665c42326a4fbad4347363eeaa53b5538dc9df7ad6dc

General

Target

SwiftTrans#7865307563.js
Size

195KB
MD5

a62376901c013b2cb5af5dacadca61a2
SHA1

2c174238c278aca33f2a4bf803a14c0a79dd08c1
SHA256

cebe7e5f4f23305a16a6665c42326a4fbad4347363eeaa53b5538dc9df7ad6dc
SHA512

8e3b033f45b941c8753733e0ef893fb70c5905dcc37ba86b1892d33d84e5a447394a3bd57a06a08a78349739a70471deafacfd1c50cc7b012a3f2cae236adfbc

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

Processes:

WScript.exe

flow	pid	process
6	1232	WScript.exe
7	1232	WScript.exe
8	1232	WScript.exe
10	1232	WScript.exe
11	1232	WScript.exe
12	1232	WScript.exe
14	1232	WScript.exe
15	1232	WScript.exe
16	1232	WScript.exe
18	1232	WScript.exe
19	1232	WScript.exe
20	1232	WScript.exe
22	1232	WScript.exe
23	1232	WScript.exe
24	1232	WScript.exe
26	1232	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDuLgkracY.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDuLgkracY.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\lDuLgkracY.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1912 2028 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1912 WerFault.exe
1912 WerFault.exe
1912 WerFault.exe
1912 WerFault.exe
1912 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1912 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1912 WerFault.exe

pid	pid_target	process	target process
1912	2028	WerFault.exe	javaw.exe

pid	process
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe

pid	process
1912	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1912	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1104 wrote to memory of 1232	1104	wscript.exe	WScript.exe
PID 1104 wrote to memory of 1232	1104	wscript.exe	WScript.exe
PID 1104 wrote to memory of 1232	1104	wscript.exe	WScript.exe
PID 1104 wrote to memory of 2028	1104	wscript.exe	javaw.exe
PID 1104 wrote to memory of 2028	1104	wscript.exe	javaw.exe
PID 1104 wrote to memory of 2028	1104	wscript.exe	javaw.exe
PID 2028 wrote to memory of 1912	2028	javaw.exe	WerFault.exe
PID 2028 wrote to memory of 1912	2028	javaw.exe	WerFault.exe
PID 2028 wrote to memory of 1912	2028	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SwiftTrans#7865307563.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lDuLgkracY.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1232

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ccksecba.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2028 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ccksecba.txt
MD5
c0887f0887ddeefce4d2a310a82200a4

SHA1
57dec75936a83d0b4d7701141be6a880b4f3b339

SHA256
4d9fa52af46d020276ab73a1759fab3d48d1c5dd5eded9cee5923e4a17f0f5b9

SHA512
fab96055cb2cf967156a0766bcf8f4bc33ff8a22cb68874e6ab3a9e45419ef04f5be3fdecd6a15cc4a7e6a660091d5e5038cf3e7de09f75c9c289ba0b468b971

Download Submit
C:\Users\Admin\AppData\Roaming\lDuLgkracY.js
MD5
1db2128497f4cd412a6b882f616c9651

SHA1
709d8587e58c93f089c10977ca717b80a88693cb

SHA256
f7fd2cfba54252a085cad009b73f8deac7e984396b139c372dbaab72514d7a5a

SHA512
7aa9b0b1b7f57a3a597a3a5661987f71002d68e8fde2b5b38e36bca49e780844391c2ca645610574309f0f633ec44ac31f4964a1674c2e0f73cd3c660a3d1dfb

Download Submit
memory/1104-59-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1232-60-0x0000000000000000-mapping.dmp

Download
memory/1912-64-0x0000000000000000-mapping.dmp

Download
memory/1912-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads