vjw0rm | 2e60c3ba7e545ebb75f91c51b085be7b61d34374f178f9bca45e96624727dc9b

General

Target

Payment proof.js
Size

201KB
MD5

279ba39874bda6eba21ce2ec81361659
SHA1

4d44cefbfce10930858e8a0f9ee8510e27152dcf
SHA256

2e60c3ba7e545ebb75f91c51b085be7b61d34374f178f9bca45e96624727dc9b
SHA512

aba2055963cab29261df5d14386235ea53535ccc6b58485d8a9758fb171deb84f7034deb38c8f209d80a15584bc2cf252edf62b956e70a09614abf00d536aa42

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
9	1528	WScript.exe
16	1528	WScript.exe
18	1528	WScript.exe
19	1528	WScript.exe
20	1528	WScript.exe
21	1528	WScript.exe
22	1528	WScript.exe
23	1528	WScript.exe
24	1528	WScript.exe
25	1528	WScript.exe
26	1528	WScript.exe
27	1528	WScript.exe
28	1528	WScript.exe
29	1528	WScript.exe
30	1528	WScript.exe
31	1528	WScript.exe
32	1528	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQJrwUperv.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQJrwUperv.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\RQJrwUperv.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2708 1652 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
2708	1652	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2708 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2708	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 580 wrote to memory of 1528	580	wscript.exe	WScript.exe
PID 580 wrote to memory of 1528	580	wscript.exe	WScript.exe
PID 580 wrote to memory of 1652	580	wscript.exe	javaw.exe
PID 580 wrote to memory of 1652	580	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment proof.js"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RQJrwUperv.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1528

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\btybhtvvhn.txt"
2⤵
PID:1652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1652 -s 352
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RQJrwUperv.js
MD5
8809b0d0197b3cd57b6708280097e505

SHA1
9ce907eb77d894c721bac3b95ec10198b673cf90

SHA256
08a35def10fe25f0e7ba5ab9f9225617752d008b77c3c8038e7f4e6e22efca97

SHA512
0619a90ee431c855718ef66166886c166ee2d3461514220e46fb8cfdfc78bdade23fc6823860dedf6f1a8d65dae9e8e0c94343fe250d469ba63ecd6ef3cfe1a1

Download Submit
C:\Users\Admin\AppData\Roaming\btybhtvvhn.txt
MD5
06f61cd3d0cdf9257fcdac6483d4c1ba

SHA1
f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f

SHA256
424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f

SHA512
9aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657

Download Submit
memory/1528-114-0x0000000000000000-mapping.dmp

Download
memory/1652-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads