vjw0rm | cdf6af99c438ee1c8b18425afd23f07d30c745b89d4a3fdd6220c463a16844c0

General

Target

c190431d_hyUa2Op4cf.js
Size

207KB
MD5

c190431d51eed488359ebc98cbb2e900
SHA1

eaa9bbf31cc5c32bc03cd146a3869a2b4abd29ee
SHA256

cdf6af99c438ee1c8b18425afd23f07d30c745b89d4a3fdd6220c463a16844c0
SHA512

540dab7e3443704b5ad54a5c8dbed684c44ab48d4feac6f5f6f372b847c1367e8808ece7b7a7af01bb178a8b88d42e86cd94dfea220043baf78f54542d90085e

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
10	1880	WScript.exe
17	1880	WScript.exe
20	1880	WScript.exe
22	1880	WScript.exe
23	1880	WScript.exe
24	1880	WScript.exe
27	1880	WScript.exe
28	1880	WScript.exe
29	1880	WScript.exe
30	1880	WScript.exe
31	1880	WScript.exe
32	1880	WScript.exe
33	1880	WScript.exe
34	1880	WScript.exe
35	1880	WScript.exe
36	1880	WScript.exe
37	1880	WScript.exe
38	1880	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cpfiOsUkOB.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cpfiOsUkOB.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\cpfiOsUkOB.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1008 2096 WerFault.exe javaw.exe
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings wscript.exe

pid	pid_target	process	target process
1008	2096	WerFault.exe	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1008 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1008	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3388 wrote to memory of 1880	3388	wscript.exe	WScript.exe
PID 3388 wrote to memory of 1880	3388	wscript.exe	WScript.exe
PID 3388 wrote to memory of 2096	3388	wscript.exe	javaw.exe
PID 3388 wrote to memory of 2096	3388	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\c190431d_hyUa2Op4cf.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1880

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rbghadvy.txt"
2⤵
PID:2096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2096 -s 360
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js

MD5
4572042fa026d488a4671b852b94a692

SHA1
3d0f401c799896d9fc04ffc78db5ef31e2384fae

SHA256
7f019f498b724ed99ace9c57eaff75f1280a1298b6f4d95c03bf2d74994126fe

SHA512
16addb60f8b2dff6223a713bdaf4b9f39a09d7046c2b967ccb38c650e1d90022c993a0aa12371b7f248fe7f7093a48a2c17cedf85fa50b87756e73bb5ae61cdd

Download Submit
C:\Users\Admin\AppData\Roaming\rbghadvy.txt

MD5
a4ac8b8642e628e577d1048ca97cc204

SHA1
982102027bf878e74faf9a2b32a6f4ba218d04fd

SHA256
af78d72f8eade441cadc93ce4b51766604cde43267d5b610da63503823f8793b

SHA512
58f8f47ce6b3a1a367bea63cb8c4aa8c3bc9813d85482bd8fa946b33161829fb17dc5d1cc5b341c639ec464ca7c7bba849f7b4cb37950af9864d3954da7566f5

Download Submit
memory/1880-115-0x0000000000000000-mapping.dmp

Download
memory/2096-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads