vjw0rm | 2ed06b6205da9430586c2b69fb932fc8af44f52e7b0412228dc893b3bce0012c

General

Target

483dbc6a9fc9f1ea132cbd0b82a87919dac672f7.js
Size

917KB
MD5

9a5064b66239184e3b5534a14ea32605
SHA1

483dbc6a9fc9f1ea132cbd0b82a87919dac672f7
SHA256

2ed06b6205da9430586c2b69fb932fc8af44f52e7b0412228dc893b3bce0012c
SHA512

88e73f0d9e12a3cbb7c5486d7fa16f3053ca9a9d6d5deda7ecb31caab0b536a2270cf5a7917a017607b3fe9ffcc1ddf6bbd69b90064272824b933041855b4b6f

Score

10^/10

vjw0rm xloader pzi0 loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

C2

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1176-129-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1176-130-0x000000000041D480-mapping.dmp	xloader
behavioral2/memory/704-139-0x0000000000C30000-0x0000000000C59000-memory.dmp	xloader

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exe

flow	pid	process
9	3444	wscript.exe
18	3444	wscript.exe
25	3444	wscript.exe
26	3444	wscript.exe
27	3444	wscript.exe
28	3444	wscript.exe
29	3444	wscript.exe
30	3444	wscript.exe
34	3444	wscript.exe
39	3444	wscript.exe
42	3444	wscript.exe
46	3444	wscript.exe
51	3444	wscript.exe
54	3444	wscript.exe
58	3444	wscript.exe
61	3444	wscript.exe
66	3444	wscript.exe
68	3444	wscript.exe

Executes dropped EXE 3 IoCs

Processes:

zXi79XK7hDQ1PQi.exezXi79XK7hDQ1PQi.exezXi79XK7hDQ1PQi.exe

pid process

3932 zXi79XK7hDQ1PQi.exe
608 zXi79XK7hDQ1PQi.exe
1176 zXi79XK7hDQ1PQi.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTOOicUsMY.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTOOicUsMY.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\hTOOicUsMY.js\""	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zXi79XK7hDQ1PQi.exezXi79XK7hDQ1PQi.exenetsh.exe

description	pid	process	target process
PID 3932 set thread context of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 1176 set thread context of 2960	1176	zXi79XK7hDQ1PQi.exe	Explorer.EXE
PID 704 set thread context of 2960	704	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

zXi79XK7hDQ1PQi.exezXi79XK7hDQ1PQi.exenetsh.exe

pid	process
3932	zXi79XK7hDQ1PQi.exe
3932	zXi79XK7hDQ1PQi.exe
1176	zXi79XK7hDQ1PQi.exe
1176	zXi79XK7hDQ1PQi.exe
1176	zXi79XK7hDQ1PQi.exe
1176	zXi79XK7hDQ1PQi.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe
704	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2960 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

zXi79XK7hDQ1PQi.exenetsh.exe

pid process

1176 zXi79XK7hDQ1PQi.exe
1176 zXi79XK7hDQ1PQi.exe
1176 zXi79XK7hDQ1PQi.exe
704 netsh.exe
704 netsh.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zXi79XK7hDQ1PQi.exezXi79XK7hDQ1PQi.exenetsh.exe

description pid process

Token: SeDebugPrivilege 3932 zXi79XK7hDQ1PQi.exe
Token: SeDebugPrivilege 1176 zXi79XK7hDQ1PQi.exe
Token: SeDebugPrivilege 704 netsh.exe

pid	process
2960	Explorer.EXE

pid	process
1176	zXi79XK7hDQ1PQi.exe
1176	zXi79XK7hDQ1PQi.exe
1176	zXi79XK7hDQ1PQi.exe
704	netsh.exe
704	netsh.exe

description	pid	process
Token: SeDebugPrivilege	3932	zXi79XK7hDQ1PQi.exe
Token: SeDebugPrivilege	1176	zXi79XK7hDQ1PQi.exe
Token: SeDebugPrivilege	704	netsh.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

wscript.exezXi79XK7hDQ1PQi.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2412 wrote to memory of 3444	2412	wscript.exe	wscript.exe
PID 2412 wrote to memory of 3444	2412	wscript.exe	wscript.exe
PID 2412 wrote to memory of 3932	2412	wscript.exe	zXi79XK7hDQ1PQi.exe
PID 2412 wrote to memory of 3932	2412	wscript.exe	zXi79XK7hDQ1PQi.exe
PID 2412 wrote to memory of 3932	2412	wscript.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 608	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 608	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 608	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 3932 wrote to memory of 1176	3932	zXi79XK7hDQ1PQi.exe	zXi79XK7hDQ1PQi.exe
PID 2960 wrote to memory of 704	2960	Explorer.EXE	netsh.exe
PID 2960 wrote to memory of 704	2960	Explorer.EXE	netsh.exe
PID 2960 wrote to memory of 704	2960	Explorer.EXE	netsh.exe
PID 704 wrote to memory of 2500	704	netsh.exe	cmd.exe
PID 704 wrote to memory of 2500	704	netsh.exe	cmd.exe
PID 704 wrote to memory of 2500	704	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\483dbc6a9fc9f1ea132cbd0b82a87919dac672f7.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hTOOicUsMY.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:3444
- - C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe
    "C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe
      "C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe"
      4⤵
      Executes dropped EXE
      PID:608
  - - C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe
      "C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe"
    3⤵
    PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe

MD5
1706b1deca726bc8980e9d80fb0d09ab

SHA1
bef590e5a3afdd846c82427207e097c9669f7f00

SHA256
1dbaae0380a20352b8f2e1807bc247c4c305aeac9e89b5835b3ae8f1b7804b05

SHA512
ba2c29f2bbff746ba7d0a2ce897447b2421b07a3faa8be8ea2e4ca41f30c756939c5a07b62d7a0ede0375d1aa2527833d5bd08dcff379632378f0befcc259713

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe

MD5
1706b1deca726bc8980e9d80fb0d09ab

SHA1
bef590e5a3afdd846c82427207e097c9669f7f00

SHA256
1dbaae0380a20352b8f2e1807bc247c4c305aeac9e89b5835b3ae8f1b7804b05

SHA512
ba2c29f2bbff746ba7d0a2ce897447b2421b07a3faa8be8ea2e4ca41f30c756939c5a07b62d7a0ede0375d1aa2527833d5bd08dcff379632378f0befcc259713

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe

MD5
1706b1deca726bc8980e9d80fb0d09ab

SHA1
bef590e5a3afdd846c82427207e097c9669f7f00

SHA256
1dbaae0380a20352b8f2e1807bc247c4c305aeac9e89b5835b3ae8f1b7804b05

SHA512
ba2c29f2bbff746ba7d0a2ce897447b2421b07a3faa8be8ea2e4ca41f30c756939c5a07b62d7a0ede0375d1aa2527833d5bd08dcff379632378f0befcc259713

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXi79XK7hDQ1PQi.exe

MD5
1706b1deca726bc8980e9d80fb0d09ab

SHA1
bef590e5a3afdd846c82427207e097c9669f7f00

SHA256
1dbaae0380a20352b8f2e1807bc247c4c305aeac9e89b5835b3ae8f1b7804b05

SHA512
ba2c29f2bbff746ba7d0a2ce897447b2421b07a3faa8be8ea2e4ca41f30c756939c5a07b62d7a0ede0375d1aa2527833d5bd08dcff379632378f0befcc259713

Download Submit
C:\Users\Admin\AppData\Roaming\hTOOicUsMY.js

MD5
1a2a06c9b9377f182094c437ccafd3de

SHA1
923c7f81f8266f0753d6a7bf9591e06be5c35a4e

SHA256
873d6b1b90d36b2bf0be2a34df85fba65c95267a0c07976ec5de4633bbdf4345

SHA512
fcf37c4da3e954631997810be27809742a2a88df792f8a54b82ab21ca2a2958b0c5feb2e3497bc70a27050cb9519192304573e0a48d97fd669a4e27943106f84

Download Submit
memory/704-138-0x0000000000C70000-0x0000000000C8E000-memory.dmp

Filesize
120KB

Download
memory/704-140-0x00000000039A0000-0x0000000003CC0000-memory.dmp

Filesize
3.1MB

Download
memory/704-139-0x0000000000C30000-0x0000000000C59000-memory.dmp

Filesize
164KB

Download
memory/704-136-0x0000000000000000-mapping.dmp

Download
memory/704-141-0x0000000003570000-0x0000000003600000-memory.dmp

Filesize
576KB

Download
memory/1176-134-0x0000000001450000-0x0000000001461000-memory.dmp

Filesize
68KB

Download
memory/1176-132-0x00000000018E0000-0x0000000001C00000-memory.dmp

Filesize
3.1MB

Download
memory/1176-129-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1176-130-0x000000000041D480-mapping.dmp

Download
memory/2500-137-0x0000000000000000-mapping.dmp

Download
memory/2960-135-0x0000000005990000-0x0000000005A9D000-memory.dmp

Filesize
1.1MB

Download
memory/2960-142-0x00000000068A0000-0x0000000006A2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-115-0x0000000000000000-mapping.dmp

Download
memory/3932-127-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/3932-126-0x0000000005DA0000-0x0000000005DF9000-memory.dmp

Filesize
356KB

Download
memory/3932-125-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/3932-124-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/3932-123-0x0000000005660000-0x0000000005666000-memory.dmp

Filesize
24KB

Download
memory/3932-122-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3932-120-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3932-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads