vjw0rm | 198c52fa986d2d7e55ef994346b440e56a25d2ed329ed425139e728fd36bc1ef

General

Target

js-decoded-1.js
Size

18KB
MD5

d2b0ad1aa51305128fc15a0596dd1c83
SHA1

ab34fadd92aa205ea9a9129601f914cb6da24946
SHA256

198c52fa986d2d7e55ef994346b440e56a25d2ed329ed425139e728fd36bc1ef
SHA512

dd0eec9a7cb5bedf1c3252098c4b835d9665ed1a8c8e770d401f9ef2d600db560fd94fe66087a22b549213dd535c02ed1c788a6608defdde815b53380622063c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 36 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
10	4000	wscript.exe
11	1408	wscript.exe
18	4000	wscript.exe
19	1408	wscript.exe
21	4000	wscript.exe
22	1408	wscript.exe
23	4000	wscript.exe
24	1408	wscript.exe
25	4000	wscript.exe
26	1408	wscript.exe
27	4000	wscript.exe
28	1408	wscript.exe
29	4000	wscript.exe
30	1408	wscript.exe
31	1408	wscript.exe
32	4000	wscript.exe
33	4000	wscript.exe
34	1408	wscript.exe
35	4000	wscript.exe
36	1408	wscript.exe
37	4000	wscript.exe
38	1408	wscript.exe
39	4000	wscript.exe
40	1408	wscript.exe
41	4000	wscript.exe
42	4000	wscript.exe
43	1408	wscript.exe
44	4000	wscript.exe
45	1408	wscript.exe
46	4000	wscript.exe
47	1408	wscript.exe
48	4000	wscript.exe
49	1408	wscript.exe
50	4000	wscript.exe
51	1408	wscript.exe
52	4000	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js-decoded-1.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yyUgEcLmud.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yyUgEcLmud.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\yyUgEcLmud.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\js-decoded-1.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2376 schtasks.exe

pid	process
2376	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4000 wrote to memory of 1408	4000	wscript.exe	wscript.exe
PID 4000 wrote to memory of 1408	4000	wscript.exe	wscript.exe
PID 4000 wrote to memory of 2376	4000	wscript.exe	schtasks.exe
PID 4000 wrote to memory of 2376	4000	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js-decoded-1.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yyUgEcLmud.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1408

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\js-decoded-1.js
2⤵
- Creates scheduled task(s)
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\yyUgEcLmud.js
MD5
65363d0ea259acee31709e3e7a45cab8

SHA1
10143fc1636eb68c01f5fd6b39244dbd393c66e9

SHA256
86177bfcebdc7ae4a3d049399710ff6272f8289160c068465d729e7cff80f4c7

SHA512
6eb5e93b6a6be0e0c9aecbb4f356e188c41a475a926ef1de5329bfbb80509ab4dbbafd219027ea42e89ae4d355740277820a5e20c0dae5cb27d00e2f00ee070f

Download Submit
memory/1408-115-0x0000000000000000-mapping.dmp

Download
memory/2376-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads