vjw0rm | 68921406e9b3c27e573cbf28f5d12a5b46cb40501384feaf13e4e3f753246d2c

General

Target

00SI886_SO_0169256IN_20210818_000.js
Size

31KB
MD5

786cd57e65ffb85f2e19b3d2ef3dc0bf
SHA1

e36e41a8bb11ec29f90e0b3c643e2707d2a2f255
SHA256

68921406e9b3c27e573cbf28f5d12a5b46cb40501384feaf13e4e3f753246d2c
SHA512

45d85f01d0b2b2f8bb13e886ec8015c0f8d906b9041910ad94c2be2de4557c312f36cf018ccf37bb6fa362b1a6a49da674a08687691e78e78855206cb6cdcb99

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 32 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	1400	wscript.exe
9	1288	wscript.exe
11	1400	wscript.exe
12	1400	wscript.exe
16	1400	wscript.exe
17	1400	wscript.exe
20	1400	wscript.exe
22	1400	wscript.exe
25	1400	wscript.exe
26	1288	wscript.exe
27	1288	wscript.exe
29	1400	wscript.exe
31	1288	wscript.exe
32	1288	wscript.exe
33	1400	wscript.exe
36	1400	wscript.exe
37	1288	wscript.exe
38	1288	wscript.exe
39	1400	wscript.exe
42	1288	wscript.exe
43	1288	wscript.exe
44	1400	wscript.exe
46	1288	wscript.exe
47	1288	wscript.exe
49	1400	wscript.exe
50	1288	wscript.exe
51	1288	wscript.exe
53	1400	wscript.exe
56	1288	wscript.exe
57	1400	wscript.exe
60	1400	wscript.exe
62	1400	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00SI886_SO_0169256IN_20210818_000.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00SI886_SO_0169256IN_20210818_000.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzbgTgURNP.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzbgTgURNP.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\0L2MC7JOKR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00SI886_SO_0169256IN_20210818_000.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\PzbgTgURNP.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1288 wrote to memory of 1400	1288	wscript.exe	wscript.exe
PID 1288 wrote to memory of 1400	1288	wscript.exe	wscript.exe
PID 1288 wrote to memory of 1400	1288	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\00SI886_SO_0169256IN_20210818_000.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PzbgTgURNP.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PzbgTgURNP.js
MD5
91cbc6abb6d16bba34b15ca2ce44e689

SHA1
f63cb5c1395b405a4e1043ce0b46488da52ea47e

SHA256
ebaa4b01e859ee2f2f37178a78d9d6e668c5cb47edca97bff923fdbf68d02a74

SHA512
58977af7c86a43257aa2bc17ea1eaafa49f41cee579c0504004648d0a09e2e7939d6b84c370a2d78cedd47b093009da79d6ac33e0c0cec0712f60a8a245cf0ba

Download Submit
memory/1400-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads