vjw0rm | 872339e661e1a90638d6981b8b09d56cccebdfdfad0fabb2c5100f4c05bccce7

General

Target

MT103 PAYMENT_ANCHORS_4263782872.pdf.js
Size

205KB
MD5

f924ea1d9a529af64d57c5daa6f55bab
SHA1

e39ec476abb7acce4e713f15fb121ceed72b12c2
SHA256

872339e661e1a90638d6981b8b09d56cccebdfdfad0fabb2c5100f4c05bccce7
SHA512

3d59266b9bbfa01dd4c694faa42f53d8c87eae2698cfdfdd941eaa6cfaeeb2383c0fdf4deb32f4c0ecaf8ffa671737ee7d6acbd186ef8ee3c0ef85e79719140c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

Processes:

WScript.exe

flow	pid	process
7	2028	WScript.exe
8	2028	WScript.exe
9	2028	WScript.exe
11	2028	WScript.exe
12	2028	WScript.exe
13	2028	WScript.exe
15	2028	WScript.exe
16	2028	WScript.exe
17	2028	WScript.exe
19	2028	WScript.exe
20	2028	WScript.exe
21	2028	WScript.exe
23	2028	WScript.exe
24	2028	WScript.exe
25	2028	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LQlAlqxPqv.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LQlAlqxPqv.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\LQlAlqxPqv.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1444 1360 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1444 WerFault.exe
1444 WerFault.exe
1444 WerFault.exe
1444 WerFault.exe
1444 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1444 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1444 WerFault.exe

pid	pid_target	process	target process
1444	1360	WerFault.exe	javaw.exe

pid	process
1444	WerFault.exe
1444	WerFault.exe
1444	WerFault.exe
1444	WerFault.exe
1444	WerFault.exe

pid	process
1444	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1444	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1092 wrote to memory of 2028	1092	wscript.exe	WScript.exe
PID 1092 wrote to memory of 2028	1092	wscript.exe	WScript.exe
PID 1092 wrote to memory of 2028	1092	wscript.exe	WScript.exe
PID 1092 wrote to memory of 1360	1092	wscript.exe	javaw.exe
PID 1092 wrote to memory of 1360	1092	wscript.exe	javaw.exe
PID 1092 wrote to memory of 1360	1092	wscript.exe	javaw.exe
PID 1360 wrote to memory of 1444	1360	javaw.exe	WerFault.exe
PID 1360 wrote to memory of 1444	1360	javaw.exe	WerFault.exe
PID 1360 wrote to memory of 1444	1360	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT_ANCHORS_4263782872.pdf.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\LQlAlqxPqv.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2028

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kheebb.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1360 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LQlAlqxPqv.js

MD5
60b4571a8ea0c638af1345fc7a0a3c83

SHA1
982907d9eb4134ff8f49c9b77006c26b71275a2e

SHA256
548dd0948082a5cf5bbb25c171cc0f49b59bcad7b89b5c450e5818292e500711

SHA512
e1110e8478db3a2fe1f4db2b2941fa5684cb0f52cce314a1d365b5ae21fee40ef6f6ae4aa390e461b59f594612dcb0038c47da457cbb9dad6bf6ffa7448e423b

Download Submit
C:\Users\Admin\AppData\Roaming\kheebb.txt

MD5
2e458a59025b390fbdf7d3717314b507

SHA1
d5a84f501bfa81682ebde5e31a68794140141785

SHA256
6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

SHA512
2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

Download Submit
memory/1092-53-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1360-56-0x0000000000000000-mapping.dmp

Download
memory/1444-59-0x0000000000000000-mapping.dmp

Download
memory/1444-61-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/2028-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads