vjw0rm | 43b48dab6f4327b867221688c4f77d57a43faba5067698dd37c8d1a63229056a

General

Target

039aa145_7xRy7YcWQY.js
Size

205KB
MD5

039aa1459dff7f925387f99398485238
SHA1

ae030e4bc78bc8725ffb7911d77a820003059531
SHA256

43b48dab6f4327b867221688c4f77d57a43faba5067698dd37c8d1a63229056a
SHA512

484d67e334512eedf4636606b16b03032e4ac7d28d450d28789b3a8a3b6dadac573aeb9d34d2d2e66f1e2f839da410c8ef12b602d0a4db37c0b72c3671079503

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
7	1788	WScript.exe
8	1788	WScript.exe
9	1788	WScript.exe
11	1788	WScript.exe
12	1788	WScript.exe
13	1788	WScript.exe
15	1788	WScript.exe
16	1788	WScript.exe
17	1788	WScript.exe
19	1788	WScript.exe
20	1788	WScript.exe
21	1788	WScript.exe
23	1788	WScript.exe
24	1788	WScript.exe
25	1788	WScript.exe
27	1788	WScript.exe
28	1788	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vBlHdPbRXO.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vBlHdPbRXO.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\vBlHdPbRXO.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 1804 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
1768 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1768 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1768 WerFault.exe

pid	pid_target	process	target process
1768	1804	WerFault.exe	javaw.exe

pid	process
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe

pid	process
1768	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1768	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1936 wrote to memory of 1788	1936	wscript.exe	WScript.exe
PID 1936 wrote to memory of 1788	1936	wscript.exe	WScript.exe
PID 1936 wrote to memory of 1788	1936	wscript.exe	WScript.exe
PID 1936 wrote to memory of 1804	1936	wscript.exe	javaw.exe
PID 1936 wrote to memory of 1804	1936	wscript.exe	javaw.exe
PID 1936 wrote to memory of 1804	1936	wscript.exe	javaw.exe
PID 1804 wrote to memory of 1768	1804	javaw.exe	WerFault.exe
PID 1804 wrote to memory of 1768	1804	javaw.exe	WerFault.exe
PID 1804 wrote to memory of 1768	1804	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\039aa145_7xRy7YcWQY.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vBlHdPbRXO.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1788

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jpuqywtmu.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1804 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jpuqywtmu.txt

MD5
2609351f059049d57f3c3acb42f6ceba

SHA1
f028f2c40bd349772b0ee2a50ce15faa692e5b90

SHA256
050bd188e324cf2070656fda15505df4e8663377e7a62bc5cb7d3fceefdde25f

SHA512
d797b768fc8adf63776f6011695a63998729c4a227c4002ec9cbe52e2431d50496e745c2833ee00db951dde49b3c2ba4692d01057253b5259a65d0aa5f8208ea

Download Submit
C:\Users\Admin\AppData\Roaming\vBlHdPbRXO.js

MD5
3d1f00e48df980bbe27e044f1806ac45

SHA1
ca18bf1aa56088a4b4fc662641db53e759ca02c5

SHA256
c662504121a016a1d03230f2b588dc3e46a0dc535b374ceea2812b5edd5bb03f

SHA512
925521347e5797e64091baa676a1a28e1ba34bde07672ed2a830c7487ad1a216c499eb2dcd646255bbe2d6944ba283924e9f0ed92ad33f1bcc17c16655ab9dd3

Download Submit
memory/1768-66-0x0000000000000000-mapping.dmp

Download
memory/1768-68-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1788-61-0x0000000000000000-mapping.dmp

Download
memory/1804-63-0x0000000000000000-mapping.dmp

Download
memory/1936-60-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads