vjw0rm | c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52

General

Target

cotización______________________fdp.js
Size

200KB
MD5

0982fc211767a61d7a3ef26ad2405be6
SHA1

e00d78a7ac396441217c133ba728af2a7aa67c9d
SHA256

c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52
SHA512

a3b15291adb751a83386b1ba0cf1fd89843237a7f4ce6402a11a5099a8f18f8caa652842532310c768734ff670f46df28da8893c869a8e564a17268c13897d57

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
6	1996	WScript.exe
7	1996	WScript.exe
8	1996	WScript.exe
10	1996	WScript.exe
11	1996	WScript.exe
12	1996	WScript.exe
14	1996	WScript.exe
15	1996	WScript.exe
16	1996	WScript.exe
18	1996	WScript.exe
19	1996	WScript.exe
20	1996	WScript.exe
22	1996	WScript.exe
23	1996	WScript.exe
24	1996	WScript.exe
26	1996	WScript.exe
27	1996	WScript.exe
28	1996	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\iZuOkORefJ.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1796 1392 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1796 WerFault.exe
1796 WerFault.exe
1796 WerFault.exe
1796 WerFault.exe
1796 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1796 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1796 WerFault.exe

pid	pid_target	process	target process
1796	1392	WerFault.exe	javaw.exe

pid	process
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe

pid	process
1796	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1796	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1084 wrote to memory of 1996	1084	wscript.exe	WScript.exe
PID 1084 wrote to memory of 1996	1084	wscript.exe	WScript.exe
PID 1084 wrote to memory of 1996	1084	wscript.exe	WScript.exe
PID 1084 wrote to memory of 1392	1084	wscript.exe	javaw.exe
PID 1084 wrote to memory of 1392	1084	wscript.exe	javaw.exe
PID 1084 wrote to memory of 1392	1084	wscript.exe	javaw.exe
PID 1392 wrote to memory of 1796	1392	javaw.exe	WerFault.exe
PID 1392 wrote to memory of 1796	1392	javaw.exe	WerFault.exe
PID 1392 wrote to memory of 1796	1392	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\cotización______________________fdp.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1996

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xofegmuvwc.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1392 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js
MD5
ba88b3aeea9cd6596528119b0a81e127

SHA1
af06129ded6c4e82b5c16607c3cbae77691d8407

SHA256
7417fe426dc695b070d697d4cd2add731e80cab5bd1f15ae01c26d3bf7ff6812

SHA512
4deb61ea7ea3a5cec8fee42e878cc3704375f05ff3c68ae1cc7154885919c2f3952e22a042d716efe4277041f9384203f13308f1e9ce7338139cb4d314424d38

Download Submit
C:\Users\Admin\AppData\Roaming\xofegmuvwc.txt
MD5
2e458a59025b390fbdf7d3717314b507

SHA1
d5a84f501bfa81682ebde5e31a68794140141785

SHA256
6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

SHA512
2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

Download Submit
memory/1084-60-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1392-63-0x0000000000000000-mapping.dmp

Download
memory/1796-66-0x0000000000000000-mapping.dmp

Download
memory/1796-68-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads