vjw0rm | c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52

General

Target

cotización______________________fdp.js
Size

200KB
MD5

0982fc211767a61d7a3ef26ad2405be6
SHA1

e00d78a7ac396441217c133ba728af2a7aa67c9d
SHA256

c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52
SHA512

a3b15291adb751a83386b1ba0cf1fd89843237a7f4ce6402a11a5099a8f18f8caa652842532310c768734ff670f46df28da8893c869a8e564a17268c13897d57

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
9	1600	WScript.exe
14	1600	WScript.exe
18	1600	WScript.exe
20	1600	WScript.exe
21	1600	WScript.exe
22	1600	WScript.exe
23	1600	WScript.exe
24	1600	WScript.exe
25	1600	WScript.exe
26	1600	WScript.exe
27	1600	WScript.exe
28	1600	WScript.exe
29	1600	WScript.exe
30	1600	WScript.exe
31	1600	WScript.exe
32	1600	WScript.exe
33	1600	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\iZuOkORefJ.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2648 1944 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
2648	1944	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2648 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2648	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4044 wrote to memory of 1600	4044	wscript.exe	WScript.exe
PID 4044 wrote to memory of 1600	4044	wscript.exe	WScript.exe
PID 4044 wrote to memory of 1944	4044	wscript.exe	javaw.exe
PID 4044 wrote to memory of 1944	4044	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\cotización______________________fdp.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1600

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wxtlokfp.txt"
2⤵
PID:1944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1944 -s 356
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js
MD5
ba88b3aeea9cd6596528119b0a81e127

SHA1
af06129ded6c4e82b5c16607c3cbae77691d8407

SHA256
7417fe426dc695b070d697d4cd2add731e80cab5bd1f15ae01c26d3bf7ff6812

SHA512
4deb61ea7ea3a5cec8fee42e878cc3704375f05ff3c68ae1cc7154885919c2f3952e22a042d716efe4277041f9384203f13308f1e9ce7338139cb4d314424d38

Download Submit
C:\Users\Admin\AppData\Roaming\wxtlokfp.txt
MD5
2e458a59025b390fbdf7d3717314b507

SHA1
d5a84f501bfa81682ebde5e31a68794140141785

SHA256
6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

SHA512
2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

Download Submit
memory/1600-114-0x0000000000000000-mapping.dmp

Download
memory/1944-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads