vjw0rm | d69c3eeaba1a1738a995d6b2112f5164326619f72a3a2904eb4db384be3b1c97

General

Target

transfer receipt.js
Size

207KB
MD5

edda157bf2126ca7e4d4afede45dd97f
SHA1

4b25ab1cc9e0eb1e9025f04c3565f098f281708a
SHA256

d69c3eeaba1a1738a995d6b2112f5164326619f72a3a2904eb4db384be3b1c97
SHA512

f48063a90965579f58e7ef83f7b9073fb0cfd055fe59eef6e47d1a46cbb4cb18d3eb422bd1267f34dafca0deef7ec7ac06163e2415c1c1513927e51125aa7ad0

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
8	1956	WScript.exe
9	1956	WScript.exe
10	1956	WScript.exe
12	1956	WScript.exe
13	1956	WScript.exe
14	1956	WScript.exe
16	1956	WScript.exe
17	1956	WScript.exe
18	1956	WScript.exe
20	1956	WScript.exe
21	1956	WScript.exe
22	1956	WScript.exe
24	1956	WScript.exe
25	1956	WScript.exe
26	1956	WScript.exe
28	1956	WScript.exe
29	1956	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZnerGlhArR.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZnerGlhArR.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ZnerGlhArR.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

456 632 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

456 WerFault.exe
456 WerFault.exe
456 WerFault.exe
456 WerFault.exe
456 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

456 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 456 WerFault.exe

pid	pid_target	process	target process
456	632	WerFault.exe	javaw.exe

pid	process
456	WerFault.exe
456	WerFault.exe
456	WerFault.exe
456	WerFault.exe
456	WerFault.exe

pid	process
456	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	456	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1992 wrote to memory of 1956	1992	wscript.exe	WScript.exe
PID 1992 wrote to memory of 1956	1992	wscript.exe	WScript.exe
PID 1992 wrote to memory of 1956	1992	wscript.exe	WScript.exe
PID 1992 wrote to memory of 632	1992	wscript.exe	javaw.exe
PID 1992 wrote to memory of 632	1992	wscript.exe	javaw.exe
PID 1992 wrote to memory of 632	1992	wscript.exe	javaw.exe
PID 632 wrote to memory of 456	632	javaw.exe	WerFault.exe
PID 632 wrote to memory of 456	632	javaw.exe	WerFault.exe
PID 632 wrote to memory of 456	632	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\transfer receipt.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ZnerGlhArR.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1956

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\yywzncto.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 632 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZnerGlhArR.js

MD5
b1870bb91d61db459603d88f526a16e5

SHA1
a959d582156e59db449d1c281dbce146cd0665c0

SHA256
f4996bb85dfba853c937a0cb6650693380f11979720004cffbacb9707f0c85f6

SHA512
992ee303ce51aa02fcda0616f4fec5713b9d9579fc4ef384106c65631042728a31953cf5ea02a790ec9a55d3a2944dc0d4e93d1db14f6f0f1630c57016b0b74a

Download Submit
C:\Users\Admin\AppData\Roaming\yywzncto.txt

MD5
85ff71c747c2cffbac3e66073eeee70a

SHA1
9ecad73eb19d076b172c1fee5490aa3fee41b653

SHA256
c8ddcbcbf2326a3d60c085308be847503f2ad845af85afdfd4feaa81ffa084fc

SHA512
79ca5b26a0624a15de610183520fd0c6103779d1dd23c8376792c378ca40b44ca870b7aa9a6fe672ca1a606956d149d06641945187dde45b8c3219f19e277888

Download Submit
memory/456-59-0x0000000000000000-mapping.dmp

Download
memory/456-61-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/632-56-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000000000000-mapping.dmp

Download
memory/1992-53-0x000007FEFBBC1000-0x000007FEFBBC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads