vjw0rm | c8602635235e660c6fb7c8f69ea586482c972a807d7dac0cc81c56fcf0d93e02

General

Target

763904f1_U2aZzq1vXW.js
Size

208KB
MD5

763904f17e55bb5bfa038bed7a3a3ff6
SHA1

0bbbf2007444d743e13ae8666cf55fd2e40fc6ff
SHA256

c8602635235e660c6fb7c8f69ea586482c972a807d7dac0cc81c56fcf0d93e02
SHA512

4c7eee1a479aa9f22271a99419e3cf076203ed035e49ef1b9f02361855213d4b75015f3d5e1d065de5c0cbf71031ffc18afe766ff38246c8dbca56c5a5e4494e

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
8	1760	WScript.exe
9	1760	WScript.exe
10	1760	WScript.exe
12	1760	WScript.exe
13	1760	WScript.exe
14	1760	WScript.exe
16	1760	WScript.exe
17	1760	WScript.exe
18	1760	WScript.exe
20	1760	WScript.exe
21	1760	WScript.exe
22	1760	WScript.exe
24	1760	WScript.exe
25	1760	WScript.exe
26	1760	WScript.exe
28	1760	WScript.exe
29	1760	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bGhayglGGp.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bGhayglGGp.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\bGhayglGGp.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 1768 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1080 WerFault.exe
1080 WerFault.exe
1080 WerFault.exe
1080 WerFault.exe
1080 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1080 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1080 WerFault.exe

pid	pid_target	process	target process
1080	1768	WerFault.exe	javaw.exe

pid	process
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe

pid	process
1080	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1080	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1316 wrote to memory of 1760	1316	wscript.exe	WScript.exe
PID 1316 wrote to memory of 1760	1316	wscript.exe	WScript.exe
PID 1316 wrote to memory of 1760	1316	wscript.exe	WScript.exe
PID 1316 wrote to memory of 1768	1316	wscript.exe	javaw.exe
PID 1316 wrote to memory of 1768	1316	wscript.exe	javaw.exe
PID 1316 wrote to memory of 1768	1316	wscript.exe	javaw.exe
PID 1768 wrote to memory of 1080	1768	javaw.exe	WerFault.exe
PID 1768 wrote to memory of 1080	1768	javaw.exe	WerFault.exe
PID 1768 wrote to memory of 1080	1768	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\763904f1_U2aZzq1vXW.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bGhayglGGp.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1760

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\flbfet.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1768 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bGhayglGGp.js

MD5
3d29800f4ac80ec11fb83220c10166af

SHA1
563f6b81b3ca00b5f483e1fad62b511e62d1cf6b

SHA256
3d98b5e35da71ddf286f92d2cdb33fb631c95f90ff11e31ba53c236c6758b3d7

SHA512
e71ac8e739872ae451d2780f07c3262e44ffab582654be439d96db52c5b0eef7d724177c169f16b6725c1c2bf48a44097792c4eb5310d4e2c327dcd28c387cf7

Download Submit
C:\Users\Admin\AppData\Roaming\flbfet.txt

MD5
2609351f059049d57f3c3acb42f6ceba

SHA1
f028f2c40bd349772b0ee2a50ce15faa692e5b90

SHA256
050bd188e324cf2070656fda15505df4e8663377e7a62bc5cb7d3fceefdde25f

SHA512
d797b768fc8adf63776f6011695a63998729c4a227c4002ec9cbe52e2431d50496e745c2833ee00db951dde49b3c2ba4692d01057253b5259a65d0aa5f8208ea

Download Submit
memory/1080-58-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1316-52-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1760-53-0x0000000000000000-mapping.dmp

Download
memory/1768-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads