vjw0rm | cdf6af99c438ee1c8b18425afd23f07d30c745b89d4a3fdd6220c463a16844c0

General

Target

c190431d_hyUa2Op4cf.js
Size

207KB
MD5

c190431d51eed488359ebc98cbb2e900
SHA1

eaa9bbf31cc5c32bc03cd146a3869a2b4abd29ee
SHA256

cdf6af99c438ee1c8b18425afd23f07d30c745b89d4a3fdd6220c463a16844c0
SHA512

540dab7e3443704b5ad54a5c8dbed684c44ab48d4feac6f5f6f372b847c1367e8808ece7b7a7af01bb178a8b88d42e86cd94dfea220043baf78f54542d90085e

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
7	316	WScript.exe
8	316	WScript.exe
9	316	WScript.exe
11	316	WScript.exe
12	316	WScript.exe
13	316	WScript.exe
15	316	WScript.exe
16	316	WScript.exe
17	316	WScript.exe
19	316	WScript.exe
20	316	WScript.exe
21	316	WScript.exe
23	316	WScript.exe
24	316	WScript.exe
25	316	WScript.exe
27	316	WScript.exe
28	316	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cpfiOsUkOB.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cpfiOsUkOB.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\cpfiOsUkOB.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1564 1172 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1564 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1564 WerFault.exe

pid	pid_target	process	target process
1564	1172	WerFault.exe	javaw.exe

pid	process
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe

pid	process
1564	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1564	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1640 wrote to memory of 316	1640	wscript.exe	WScript.exe
PID 1640 wrote to memory of 316	1640	wscript.exe	WScript.exe
PID 1640 wrote to memory of 316	1640	wscript.exe	WScript.exe
PID 1640 wrote to memory of 1172	1640	wscript.exe	javaw.exe
PID 1640 wrote to memory of 1172	1640	wscript.exe	javaw.exe
PID 1640 wrote to memory of 1172	1640	wscript.exe	javaw.exe
PID 1172 wrote to memory of 1564	1172	javaw.exe	WerFault.exe
PID 1172 wrote to memory of 1564	1172	javaw.exe	WerFault.exe
PID 1172 wrote to memory of 1564	1172	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\c190431d_hyUa2Op4cf.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:316

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nqxwgxwnok.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1172 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js

MD5
4572042fa026d488a4671b852b94a692

SHA1
3d0f401c799896d9fc04ffc78db5ef31e2384fae

SHA256
7f019f498b724ed99ace9c57eaff75f1280a1298b6f4d95c03bf2d74994126fe

SHA512
16addb60f8b2dff6223a713bdaf4b9f39a09d7046c2b967ccb38c650e1d90022c993a0aa12371b7f248fe7f7093a48a2c17cedf85fa50b87756e73bb5ae61cdd

Download Submit
C:\Users\Admin\AppData\Roaming\nqxwgxwnok.txt

MD5
a4ac8b8642e628e577d1048ca97cc204

SHA1
982102027bf878e74faf9a2b32a6f4ba218d04fd

SHA256
af78d72f8eade441cadc93ce4b51766604cde43267d5b610da63503823f8793b

SHA512
58f8f47ce6b3a1a367bea63cb8c4aa8c3bc9813d85482bd8fa946b33161829fb17dc5d1cc5b341c639ec464ca7c7bba849f7b4cb37950af9864d3954da7566f5

Download Submit
memory/316-54-0x0000000000000000-mapping.dmp

Download
memory/1172-56-0x0000000000000000-mapping.dmp

Download
memory/1564-59-0x0000000000000000-mapping.dmp

Download
memory/1564-61-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/1640-53-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads