vjw0rm | d4276b4b8112c9cd47f919bbec2dd4c411c18e3727b8232e89240652b9becc1c

General

Target

5bed3acd_ijm1WfCl4H.js
Size

901KB
MD5

5bed3acd00a2c4a7f40d0a90f712279f
SHA1

04ee09c5ca9227991e240fb8fadf0ab04358791f
SHA256

d4276b4b8112c9cd47f919bbec2dd4c411c18e3727b8232e89240652b9becc1c
SHA512

aea4ff20e67d2452cbb64cf1fab93e5376155c0f216bf75a2e41eee9a9477cf63b131fee13211e310f81dbdfd754870238a9f402d69767b7e23a2a1e50392c42

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
6	556	WScript.exe
7	556	WScript.exe
8	556	WScript.exe
10	556	WScript.exe
11	556	WScript.exe
12	556	WScript.exe
14	556	WScript.exe
15	556	WScript.exe
16	556	WScript.exe
18	556	WScript.exe
19	556	WScript.exe
20	556	WScript.exe
22	556	WScript.exe
23	556	WScript.exe
24	556	WScript.exe
26	556	WScript.exe
27	556	WScript.exe
28	556	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwtkZLJnNn.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwtkZLJnNn.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\hwtkZLJnNn.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 1116 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1684 WerFault.exe
1684 WerFault.exe
1684 WerFault.exe
1684 WerFault.exe
1684 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1684 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1684 WerFault.exe

pid	pid_target	process	target process
1684	1116	WerFault.exe	javaw.exe

pid	process
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe

pid	process
1684	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1684	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1968 wrote to memory of 556	1968	wscript.exe	WScript.exe
PID 1968 wrote to memory of 556	1968	wscript.exe	WScript.exe
PID 1968 wrote to memory of 556	1968	wscript.exe	WScript.exe
PID 1968 wrote to memory of 1116	1968	wscript.exe	javaw.exe
PID 1968 wrote to memory of 1116	1968	wscript.exe	javaw.exe
PID 1968 wrote to memory of 1116	1968	wscript.exe	javaw.exe
PID 1116 wrote to memory of 1684	1116	javaw.exe	WerFault.exe
PID 1116 wrote to memory of 1684	1116	javaw.exe	WerFault.exe
PID 1116 wrote to memory of 1684	1116	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\5bed3acd_ijm1WfCl4H.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hwtkZLJnNn.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:556

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dmxgiypjr.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1116 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dmxgiypjr.txt

MD5
5078ad12ffafbc7e55e5f10ba4116475

SHA1
47784babdb98167c49707ea997ffd2ed7511018a

SHA256
af07eb0ab29898403dd039be4bb18d4d157c5c8d86967556d6a08530d7660da8

SHA512
c98b85b3d81a47a63074e6824cab3d5763d16d9145e828d5c3a59221eafcfa1f170c56a3407b0fcbb9772806b871eb71997163444cca252f98d2b295bb534609

Download Submit
C:\Users\Admin\AppData\Roaming\hwtkZLJnNn.js

MD5
6a23319a0033806b666ee758ccce7328

SHA1
e292a2a56901f142fea6d602636c007ac9b5f4c6

SHA256
e9ba6de1364151864a9835378f9245cc30d66216d9273b845fba8ed64aa1a76f

SHA512
d5c3bccd9eb5346308d212902d462d8c6384a3e0871115d8cf06abe0d3f7bbd4208496c2911917f93e4a73e0ad645ebedf12dfa7a1d8cfe5bc8ce0a812966187

Download Submit
memory/556-61-0x0000000000000000-mapping.dmp

Download
memory/1116-63-0x0000000000000000-mapping.dmp

Download
memory/1684-66-0x0000000000000000-mapping.dmp

Download
memory/1684-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1968-60-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads