vjw0rm | ad7abbd37502335bdf4b9d8053e8804b3b4e69085d3756ef4b8353c7eba81422

General

Target

Payment Advice.js
Size

34KB
MD5

1a4ada26cbf28c988746c71f8e1120fe
SHA1

6f4f29e0f1318c3a5f29598d17aad4d4b5d56245
SHA256

ad7abbd37502335bdf4b9d8053e8804b3b4e69085d3756ef4b8353c7eba81422
SHA512

84a23c93399a382f7f8a03d2c25a4860e04e6bbe7641d80ba2011d0135fc6a646fb9c18f94252b96d3e1d7cbd5bc000bea4a2a6b6711e2799e15e51b8de53a9e

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 24 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
10	1528	wscript.exe
11	996	wscript.exe
12	996	wscript.exe
13	1528	wscript.exe
16	1528	wscript.exe
18	996	wscript.exe
19	1528	wscript.exe
23	1528	wscript.exe
24	996	wscript.exe
25	1528	wscript.exe
28	1528	wscript.exe
30	996	wscript.exe
32	1528	wscript.exe
33	996	wscript.exe
36	1528	wscript.exe
38	996	wscript.exe
39	1528	wscript.exe
41	996	wscript.exe
43	1528	wscript.exe
45	1528	wscript.exe
47	996	wscript.exe
48	1528	wscript.exe
51	996	wscript.exe
52	1528	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tUyslWndZh.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tUyslWndZh.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Advice.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\3XFVC1CQKY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Payment Advice.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\tUyslWndZh.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

304 schtasks.exe

pid	process
304	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1528 wrote to memory of 996	1528	wscript.exe	wscript.exe
PID 1528 wrote to memory of 996	1528	wscript.exe	wscript.exe
PID 1528 wrote to memory of 996	1528	wscript.exe	wscript.exe
PID 1528 wrote to memory of 304	1528	wscript.exe	schtasks.exe
PID 1528 wrote to memory of 304	1528	wscript.exe	schtasks.exe
PID 1528 wrote to memory of 304	1528	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Advice.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tUyslWndZh.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:996

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment Advice.js
2⤵
- Creates scheduled task(s)
PID:304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tUyslWndZh.js
MD5
6fd5569effaec75b1245767332bbf659

SHA1
a36ee93e4c1c0e58cfb202d41393ece5f08268ae

SHA256
d99932fe34a7261aec97790804e61b6e871e4a2277899689dc9ea8f5024875af

SHA512
c8ac5d88d0e500c1303fac8d9a4c1304d20cf1cfdcf923049bfdddaa93d9eb8ed616c142988760462d7a9a5928b60f173bc8c74f783ffc218df8589cb100b202

Download Submit
memory/304-62-0x0000000000000000-mapping.dmp

Download
memory/996-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads