vjw0rm | cebe7e5f4f23305a16a6665c42326a4fbad4347363eeaa53b5538dc9df7ad6dc

General

Target

SwiftTrans#7865307563.js
Size

195KB
MD5

a62376901c013b2cb5af5dacadca61a2
SHA1

2c174238c278aca33f2a4bf803a14c0a79dd08c1
SHA256

cebe7e5f4f23305a16a6665c42326a4fbad4347363eeaa53b5538dc9df7ad6dc
SHA512

8e3b033f45b941c8753733e0ef893fb70c5905dcc37ba86b1892d33d84e5a447394a3bd57a06a08a78349739a70471deafacfd1c50cc7b012a3f2cae236adfbc

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
10	1592	WScript.exe
17	1592	WScript.exe
18	1592	WScript.exe
19	1592	WScript.exe
20	1592	WScript.exe
21	1592	WScript.exe
22	1592	WScript.exe
23	1592	WScript.exe
24	1592	WScript.exe
25	1592	WScript.exe
26	1592	WScript.exe
27	1592	WScript.exe
28	1592	WScript.exe
29	1592	WScript.exe
30	1592	WScript.exe
31	1592	WScript.exe
32	1592	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDuLgkracY.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDuLgkracY.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\lDuLgkracY.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3380 1512 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
3380	1512	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 3380 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	3380	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 656 wrote to memory of 1592	656	wscript.exe	WScript.exe
PID 656 wrote to memory of 1592	656	wscript.exe	WScript.exe
PID 656 wrote to memory of 1512	656	wscript.exe	javaw.exe
PID 656 wrote to memory of 1512	656	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SwiftTrans#7865307563.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lDuLgkracY.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1592
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ruaaxlfbp.txt"
  2⤵
  PID:1512
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1512 -s 356
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lDuLgkracY.js

MD5
1db2128497f4cd412a6b882f616c9651

SHA1
709d8587e58c93f089c10977ca717b80a88693cb

SHA256
f7fd2cfba54252a085cad009b73f8deac7e984396b139c372dbaab72514d7a5a

SHA512
7aa9b0b1b7f57a3a597a3a5661987f71002d68e8fde2b5b38e36bca49e780844391c2ca645610574309f0f633ec44ac31f4964a1674c2e0f73cd3c660a3d1dfb

Download Submit
C:\Users\Admin\AppData\Roaming\ruaaxlfbp.txt

MD5
c0887f0887ddeefce4d2a310a82200a4

SHA1
57dec75936a83d0b4d7701141be6a880b4f3b339

SHA256
4d9fa52af46d020276ab73a1759fab3d48d1c5dd5eded9cee5923e4a17f0f5b9

SHA512
fab96055cb2cf967156a0766bcf8f4bc33ff8a22cb68874e6ab3a9e45419ef04f5be3fdecd6a15cc4a7e6a660091d5e5038cf3e7de09f75c9c289ba0b468b971

Download Submit
memory/1512-116-0x0000000000000000-mapping.dmp

Download
memory/1592-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads