vjw0rm | 3a5ff06192419f8461bffe6e5ee67f8d47c5338a251fa734639156968883b6a7

General

Target

ISO_certification_027.js
Size

31KB
MD5

701e94c08ec42f456eaff2d6644d3a09
SHA1

2830ec19e12f15a91f25fffb2c600a660267636c
SHA256

3a5ff06192419f8461bffe6e5ee67f8d47c5338a251fa734639156968883b6a7
SHA512

d73c4c2c349685023717d23982327ff9026153a89e4d318230e4eff6d415e94b4d8346ac11f1802a9599d151c07f878698317ee945662cb8a9271768c95cd9cb

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 34 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
9	820	wscript.exe
10	1108	wscript.exe
12	1108	wscript.exe
13	820	wscript.exe
15	1108	wscript.exe
16	820	wscript.exe
19	1108	wscript.exe
21	820	wscript.exe
22	1108	wscript.exe
24	820	wscript.exe
26	1108	wscript.exe
28	820	wscript.exe
31	1108	wscript.exe
32	820	wscript.exe
33	1108	wscript.exe
35	820	wscript.exe
36	1108	wscript.exe
39	820	wscript.exe
42	1108	wscript.exe
43	820	wscript.exe
45	1108	wscript.exe
46	820	wscript.exe
48	1108	wscript.exe
50	820	wscript.exe
53	1108	wscript.exe
54	820	wscript.exe
56	1108	wscript.exe
57	820	wscript.exe
59	1108	wscript.exe
61	820	wscript.exe
62	1108	wscript.exe
65	1108	wscript.exe
67	820	wscript.exe
69	1108	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEssKeAzhW.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISO_certification_027.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEssKeAzhW.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\MEssKeAzhW.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\ISO_certification_027.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

240 schtasks.exe

pid	process
240	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 820 wrote to memory of 1108	820	wscript.exe	wscript.exe
PID 820 wrote to memory of 1108	820	wscript.exe	wscript.exe
PID 820 wrote to memory of 1108	820	wscript.exe	wscript.exe
PID 820 wrote to memory of 240	820	wscript.exe	schtasks.exe
PID 820 wrote to memory of 240	820	wscript.exe	schtasks.exe
PID 820 wrote to memory of 240	820	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ISO_certification_027.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MEssKeAzhW.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1108

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\ISO_certification_027.js
2⤵
- Creates scheduled task(s)
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MEssKeAzhW.js

MD5
6b2538281a0129f06a89834c779d8254

SHA1
d1e221c7beec5bc79b6a1cd894d9f5636a1c6650

SHA256
49e0a3fbff2496b19e365146064de69066f0ec8c8e2b15ee22cba146792b8870

SHA512
179843af0b4b10f07a66ce275b4d964ee31cdbd3da2360d71b67ccaf4e54de968b79f0a44c10cc7add414fe611b376d2b794abc9146ebfe31b46e2ddfb3a9def

Download Submit
memory/240-54-0x0000000000000000-mapping.dmp

Download
memory/1108-52-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads