vjw0rm | 421c6e4dc68b3eb178243788435e0346b78fae06ffa5126c7b95bd222da0f9d9

General

Target

Remittance-634731.js
Size

462KB
MD5

526e79a834bb7c263ee552706e8ca417
SHA1

088706831253c13f4d77a76c3e9c4e85ac15e104
SHA256

421c6e4dc68b3eb178243788435e0346b78fae06ffa5126c7b95bd222da0f9d9
SHA512

8bb57999c72b37b2572c166c46026f53c5746992c0a7019f5aa74651e87bef9042254d031412c458a9542e38f61304756787822ffc4ef2ffcf3bd1ae07ccb59f

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
7	1800	WScript.exe
8	1800	WScript.exe
9	1800	WScript.exe
11	1800	WScript.exe
12	1800	WScript.exe
13	1800	WScript.exe
15	1800	WScript.exe
16	1800	WScript.exe
17	1800	WScript.exe
19	1800	WScript.exe
20	1800	WScript.exe
21	1800	WScript.exe
23	1800	WScript.exe
24	1800	WScript.exe
25	1800	WScript.exe
27	1800	WScript.exe
28	1800	WScript.exe
29	1800	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RypRJcyXfu.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RypRJcyXfu.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\RypRJcyXfu.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 1740 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1484 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1484 WerFault.exe

pid	pid_target	process	target process
1484	1740	WerFault.exe	javaw.exe

pid	process
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe

pid	process
1484	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1484	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1664 wrote to memory of 1800	1664	wscript.exe	WScript.exe
PID 1664 wrote to memory of 1800	1664	wscript.exe	WScript.exe
PID 1664 wrote to memory of 1800	1664	wscript.exe	WScript.exe
PID 1664 wrote to memory of 1740	1664	wscript.exe	javaw.exe
PID 1664 wrote to memory of 1740	1664	wscript.exe	javaw.exe
PID 1664 wrote to memory of 1740	1664	wscript.exe	javaw.exe
PID 1740 wrote to memory of 1484	1740	javaw.exe	WerFault.exe
PID 1740 wrote to memory of 1484	1740	javaw.exe	WerFault.exe
PID 1740 wrote to memory of 1484	1740	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Remittance-634731.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RypRJcyXfu.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1800

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cnlkxen.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1740 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RypRJcyXfu.js
MD5
1ba12eceb96fcc3f701b57a122d2d619

SHA1
e6760348cbee519d5f6d99f38cce7c4ead6fc9fa

SHA256
f5582ff25d56281b7a5158ff4105d71f6a1453f1f75e4f26a0d82efd2f61160d

SHA512
08a22d4a5642a828ebfdb18c99d20cbaa49ee966cd166f4338a8ddfc17875da3f5bb1feb7ab8a7aab3e2b98adca9d9464b786d7dc8329cad1e52082669b81ed7

Download Submit
C:\Users\Admin\AppData\Roaming\cnlkxen.txt
MD5
4b04a5e29aeac9bc79a101dc514c33a4

SHA1
57abb8775a1d7642066df1acfb2568d92735f359

SHA256
c327f4e0d967b4560a204eaf5af02c7dc6a1d0989b57a8ce72afc640705170b9

SHA512
b4bf9a4f313b36291673912ae11315cbbf594ee6fe7df62a2e20fb795edb0db0862cdef20e81b391cdead629b11ad24922431766ab00f7810cfb097abae6e442

Download Submit
memory/1484-65-0x0000000000000000-mapping.dmp

Download
memory/1484-67-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1740-62-0x0000000000000000-mapping.dmp

Download
memory/1740-63-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1800-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads