vjw0rm | fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc

General

Target

Request For Quotation.js
Size

200KB
MD5

63a88c19299c8fd2e3bf299798a6a322
SHA1

7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
SHA256

fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
SHA512

3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
8	1904	WScript.exe
19	1904	WScript.exe
20	1904	WScript.exe
21	1904	WScript.exe
22	1904	WScript.exe
23	1904	WScript.exe
24	1904	WScript.exe
25	1904	WScript.exe
26	1904	WScript.exe
27	1904	WScript.exe
28	1904	WScript.exe
29	1904	WScript.exe
30	1904	WScript.exe
31	1904	WScript.exe
32	1904	WScript.exe
33	1904	WScript.exe
34	1904	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2400 1924 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
2400	1924	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2400 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2400	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3204 wrote to memory of 1904	3204	wscript.exe	WScript.exe
PID 3204 wrote to memory of 1904	3204	wscript.exe	WScript.exe
PID 3204 wrote to memory of 1924	3204	wscript.exe	javaw.exe
PID 3204 wrote to memory of 1924	3204	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1904

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\azcinmknig.txt"
2⤵
PID:1924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1924 -s 352
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\azcinmknig.txt
MD5
06f61cd3d0cdf9257fcdac6483d4c1ba

SHA1
f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f

SHA256
424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f

SHA512
9aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657

Download Submit
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js
MD5
12bdb4d35045ca79f03c7ab66fa2a4d0

SHA1
fa1942411e165ec654f437f026b0e2e8028fa1fd

SHA256
9114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a

SHA512
9ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9

Download Submit
memory/1904-114-0x0000000000000000-mapping.dmp

Download
memory/1924-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads