vjw0rm | 47fd8e31ecf0c8243056163d6e17962156875c680d534756f4155e478526d2bb

General

Target

Invoice-2.js
Size

32KB
MD5

23d1f183e50e7ea2393fa5eded265813
SHA1

a85f64b11fe641fd18bb4b79f2779b11dd4c0869
SHA256

47fd8e31ecf0c8243056163d6e17962156875c680d534756f4155e478526d2bb
SHA512

740fd98898e225fe70f107c21eab6867436054e152e58828be39f0de022fc670150add5b6034a3bae3b91af91dacbfb230d47732c4b4fb7bfefee8a0175fef43

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 19 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
9	3888	wscript.exe
10	3984	wscript.exe
18	3984	wscript.exe
19	3984	wscript.exe
20	3984	wscript.exe
21	3984	wscript.exe
22	3984	wscript.exe
23	3984	wscript.exe
24	3984	wscript.exe
25	3984	wscript.exe
26	3984	wscript.exe
27	3984	wscript.exe
28	3984	wscript.exe
29	3984	wscript.exe
30	3984	wscript.exe
31	3984	wscript.exe
32	3984	wscript.exe
33	3984	wscript.exe
34	3984	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuCMRJfbWc.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuCMRJfbWc.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\MuCMRJfbWc.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 740 wrote to memory of 3984	740	wscript.exe	wscript.exe
PID 740 wrote to memory of 3984	740	wscript.exe	wscript.exe
PID 740 wrote to memory of 3888	740	wscript.exe	wscript.exe
PID 740 wrote to memory of 3888	740	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice-2.js
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3984

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\VLK.vbs"
2⤵
- Blocklisted process makes network request
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VLK.vbs
MD5
6dfc3b5e6d03b18f354fca422f625c72

SHA1
b62e9bd385f2ab06fc0fa0bcf48ef41b6cd5bc1d

SHA256
2f47caad055b12872d1501f273fe4b86bb641a1f9c1f257dcb0c12f70c1870a9

SHA512
65dc64def37722cadd37bd0020d18b30697fe36a5a402f775d4bf3975066064264189cb39d09d25d57cfe86ef33b1ce1b16aa8ae8c780bb4e6e80fd794fa0ba9

Download Submit
C:\Users\Admin\AppData\Roaming\MuCMRJfbWc.js
MD5
ef6faacbf40e1fe1de245177065a4f68

SHA1
d3d4baa744b10d39ddb7b4e048e18149d689e47c

SHA256
5b5fe15c592a94116c3aca25c92c8e17b16245898bb3557a620449a16091a2d9

SHA512
dbd55abb487f5860ea4d8517092acd80c508aa69b9a6f6876465d80d5cb8dfdaed02619f6459c23a43781da6d23efc3998a1f9b4c11e2ddbe5b4b1e36a5af9ab

Download Submit
memory/3888-115-0x0000000000000000-mapping.dmp

Download
memory/3984-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads