vjw0rm | a40e1a0e0a1e68051cefc29955d92d99efa3d24a8d70052de8aa9e4ab08da32b

General

Target

d5fe40e5_GW0BFNhBvP.js
Size

205KB
MD5

d5fe40e5e35ebbc1a60c54672f775325
SHA1

9b01278c620351932e98e95db9881f18652f7e67
SHA256

a40e1a0e0a1e68051cefc29955d92d99efa3d24a8d70052de8aa9e4ab08da32b
SHA512

2ade53d5a1d303328af40acf3f1d231fc54a8b3eb0d1e934094a7b7c63e5035c679e7ce89465e0ea4ea796e7f5f991c1da760cb64ad4b15b8d9130272e6d617c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
8	1092	WScript.exe
18	1092	WScript.exe
21	1092	WScript.exe
22	1092	WScript.exe
23	1092	WScript.exe
24	1092	WScript.exe
25	1092	WScript.exe
26	1092	WScript.exe
27	1092	WScript.exe
28	1092	WScript.exe
29	1092	WScript.exe
30	1092	WScript.exe
31	1092	WScript.exe
32	1092	WScript.exe
33	1092	WScript.exe
34	1092	WScript.exe
35	1092	WScript.exe
36	1092	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqTlpEOTrV.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqTlpEOTrV.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\dqTlpEOTrV.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2792 1748 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
2792	1748	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2792 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2792	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3992 wrote to memory of 1092	3992	wscript.exe	WScript.exe
PID 3992 wrote to memory of 1092	3992	wscript.exe	WScript.exe
PID 3992 wrote to memory of 1748	3992	wscript.exe	javaw.exe
PID 3992 wrote to memory of 1748	3992	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d5fe40e5_GW0BFNhBvP.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dqTlpEOTrV.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1092

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qnlixgbyth.txt"
2⤵
PID:1748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1748 -s 352
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dqTlpEOTrV.js

MD5
3a463dc3f1ccbb255564f73dccca622e

SHA1
ab4a88d983c371128c73699cac7e308ca7870f7b

SHA256
18c2e58bfb5e035d4c1e4d2ba4e506c8041c739ec32ec9ce80ba00adc4dbd550

SHA512
d7a4fdb65d1b5ff1616489e7b893ebab3f1e160c99007a43fc73ada3ec53cc9ddae4c3a6acb6e2852b239de336253064fd838d3f843c09e2ab952dce8e8e2cbe

Download Submit
C:\Users\Admin\AppData\Roaming\qnlixgbyth.txt

MD5
2ed25df72bd13cca5979c53b8fe7e529

SHA1
82b9c61b60f966e1ff77374b7aea67334ae98ef1

SHA256
81473eced4690bb6172d677771924cd4a0542c74f00dae2b3493cbebc6b1549c

SHA512
3086609e10bb6504ac26fb573874ade44ec446e19ac7d1e059f108dbaf31271617a10addabed41997e400bc885d07ef713054ef2d2246748809740a64c7e90f6

Download Submit
memory/1092-115-0x0000000000000000-mapping.dmp

Download
memory/1748-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads