vjw0rm | 81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c

General

Target

1ranf80w5x.js
Size

6KB
MD5

737ab81779d546b3ccc019569acb0269
SHA1

d746edccdfb5ba9f357ab6a6281c1c09c25b5912
SHA256

81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c
SHA512

961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 64 IoCs

Processes:

wscript.exe

flow	pid	process
7	4048	wscript.exe
15	4048	wscript.exe
17	4048	wscript.exe
18	4048	wscript.exe
19	4048	wscript.exe
20	4048	wscript.exe
21	4048	wscript.exe
22	4048	wscript.exe
23	4048	wscript.exe
24	4048	wscript.exe
25	4048	wscript.exe
26	4048	wscript.exe
27	4048	wscript.exe
28	4048	wscript.exe
29	4048	wscript.exe
30	4048	wscript.exe
31	4048	wscript.exe
32	4048	wscript.exe
33	4048	wscript.exe
34	4048	wscript.exe
35	4048	wscript.exe
36	4048	wscript.exe
37	4048	wscript.exe
38	4048	wscript.exe
39	4048	wscript.exe
40	4048	wscript.exe
41	4048	wscript.exe
42	4048	wscript.exe
43	4048	wscript.exe
44	4048	wscript.exe
51	4048	wscript.exe
52	4048	wscript.exe
53	4048	wscript.exe
54	4048	wscript.exe
55	4048	wscript.exe
56	4048	wscript.exe
57	4048	wscript.exe
60	4048	wscript.exe
61	4048	wscript.exe
62	4048	wscript.exe
63	4048	wscript.exe
64	4048	wscript.exe
65	4048	wscript.exe
66	4048	wscript.exe
67	4048	wscript.exe
68	4048	wscript.exe
69	4048	wscript.exe
70	4048	wscript.exe
71	4048	wscript.exe
72	4048	wscript.exe
73	4048	wscript.exe
74	4048	wscript.exe
75	4048	wscript.exe
76	4048	wscript.exe
77	4048	wscript.exe
78	4048	wscript.exe
79	4048	wscript.exe
80	4048	wscript.exe
81	4048	wscript.exe
82	4048	wscript.exe
83	4048	wscript.exe
84	4048	wscript.exe
85	4048	wscript.exe
86	4048	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exeWScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ranf80w5x.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ranf80w5x.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1468 schtasks.exe
2576 schtasks.exe

pid	process
1468	schtasks.exe
2576	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exeWScript.exe

description	pid	process	target process
PID 4048 wrote to memory of 1468	4048	wscript.exe	schtasks.exe
PID 4048 wrote to memory of 1468	4048	wscript.exe	schtasks.exe
PID 4012 wrote to memory of 2576	4012	WScript.exe	schtasks.exe
PID 4012 wrote to memory of 2576	4012	WScript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js
2⤵
- Creates scheduled task(s)
PID:1468

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js
2⤵
- Creates scheduled task(s)
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1468-114-0x0000000000000000-mapping.dmp

Download
memory/2576-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads