vjw0rm | 877d4d148ddd634c30c781a9da721cec54f83c1cec9ff7995f94ad100c2aedd8

General

Target

b66fe747_bGWi6sLSFI.js
Size

905KB
MD5

b66fe74731233f91d26f03d3ac6c0fe3
SHA1

450a3eb0ec332e643658bc6a8a5a94fb4b0f41b9
SHA256

877d4d148ddd634c30c781a9da721cec54f83c1cec9ff7995f94ad100c2aedd8
SHA512

c63c7eba2692232e4f8a84f2a6945adcf24187ff3d9ec8f7be29e51b3c2ff3c710b3d2cc6604434c2a6359801301e6fb5fb0f33b0fe1848d1c7d73bdc6f019c5

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
10	2376	WScript.exe
18	2376	WScript.exe
20	2376	WScript.exe
21	2376	WScript.exe
22	2376	WScript.exe
23	2376	WScript.exe
24	2376	WScript.exe
25	2376	WScript.exe
26	2376	WScript.exe
27	2376	WScript.exe
28	2376	WScript.exe
29	2376	WScript.exe
30	2376	WScript.exe
31	2376	WScript.exe
32	2376	WScript.exe
33	2376	WScript.exe
34	2376	WScript.exe
35	2376	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HXpBUBTtZF.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HXpBUBTtZF.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\HXpBUBTtZF.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3148 3680 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
3148	3680	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe
3148	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 3148 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	3148	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 636 wrote to memory of 2376	636	wscript.exe	WScript.exe
PID 636 wrote to memory of 2376	636	wscript.exe	WScript.exe
PID 636 wrote to memory of 3680	636	wscript.exe	javaw.exe
PID 636 wrote to memory of 3680	636	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\b66fe747_bGWi6sLSFI.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2376

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\acwwtemn.txt"
2⤵
PID:3680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3680 -s 356
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js

MD5
150efb51ec05bc4a9bbb525397f5f741

SHA1
be85f05d5a074fa98232cf993fc6f5a7dac9f880

SHA256
b97357a2422085a44feea1491f88a44e3a9080cef0330a70b6d9cc0f0ed3cd19

SHA512
e45f7012eb013e53b9a49e239bf7c07a81a08587501674fdb0e6f048edfa904b01138da374ce51b131f1bda952761cc64e317fe453e76d8cf099868a4ad301e5

Download Submit
C:\Users\Admin\AppData\Roaming\acwwtemn.txt

MD5
ca4cf45e9499c04f77d54212bb0805c0

SHA1
296688e7207ddbdd7f0e5096ae9c1993b5ff130b

SHA256
f8255759c5da02e9b0de11ea93f90f14fc34bb8cd839ff7c4a53a86438b11344

SHA512
90075be1e95bacdb020504304b79cc1e2fca3eadcffd87d00c16d95ce93922e3b1835b93d0f91874dcfb3dd17b8dafad65c3a258bd95a0e05a237cd4f1691d0b

Download Submit
memory/2376-114-0x0000000000000000-mapping.dmp

Download
memory/3680-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads