vjw0rm | c2d776ff9f6d544f34a52370f0160ab65c74a633ba8c98aeead56fafc71a2af0

General

Target

RFQ_SHIPREPAIRANDSPAREPARTS SUPPLY SHEET pdf.js
Size

557KB
MD5

7eef8f4251de5e1aa8554248af33d922
SHA1

344526610dce8c83ebfe01400100b10c96d9af33
SHA256

c2d776ff9f6d544f34a52370f0160ab65c74a633ba8c98aeead56fafc71a2af0
SHA512

35092f2478e686b2889211f028f572f98789e291d731e72f05aec35b3aa4517ea544a1086a19a7a2b0cca98bc1c6d7217dd34db7564cbfd17f290c63e5adac51

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow pid process

13 464 WScript.exe
14 464 WScript.exe
15 464 WScript.exe
17 464 WScript.exe
18 464 WScript.exe
19 464 WScript.exe

flow	pid	process
13	464	WScript.exe
14	464	WScript.exe
15	464	WScript.exe
17	464	WScript.exe
18	464	WScript.exe
19	464	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fRpmSwrjJv.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fRpmSwrjJv.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fRpmSwrjJv.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1576 wrote to memory of 464	1576	wscript.exe	WScript.exe
PID 1576 wrote to memory of 464	1576	wscript.exe	WScript.exe
PID 1576 wrote to memory of 464	1576	wscript.exe	WScript.exe
PID 1576 wrote to memory of 836	1576	wscript.exe	javaw.exe
PID 1576 wrote to memory of 836	1576	wscript.exe	javaw.exe
PID 1576 wrote to memory of 836	1576	wscript.exe	javaw.exe
PID 836 wrote to memory of 1760	836	javaw.exe	java.exe
PID 836 wrote to memory of 1760	836	javaw.exe	java.exe
PID 836 wrote to memory of 1760	836	javaw.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ_SHIPREPAIRANDSPAREPARTS SUPPLY SHEET pdf.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fRpmSwrjJv.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:464

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nwiopphj.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\nwiopphj.txt"
3⤵
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fRpmSwrjJv.js
MD5
00d85f5083184e38d853cff484c63356

SHA1
f2217905fb367c4b237598cfce2878d968e342e2

SHA256
25ffd7f69dbdfd9b0660606f06b7f933f4b3577f9f0dcc83214d8bea4fa538af

SHA512
0f127aecfe64e9ee578c24435671be1e6645b0b9fb2ce257c6c54bfb828c217a765338211cc338262402cf6b4e0cae2fc8fddd48d9ae8a7a20e045b56004bb53

Download Submit
C:\Users\Admin\AppData\Roaming\nwiopphj.txt
MD5
d7af6f48833d4d696e9fee852108e5fc

SHA1
a433cd0b27a67d883d404662230923c2262bae75

SHA256
cad6e2a73119072971ebdc8fa2deedb187499694e952e4de23e591be6003ebbd

SHA512
6b229028742537bb657162befcc622f44842480173df9c90968aaaf0b1d10d6f96420ba7501b59479ef4cff8a44566dc6fb746abbfe538170f39be1ecb130d80

Download Submit
C:\Users\Admin\nwiopphj.txt
MD5
d7af6f48833d4d696e9fee852108e5fc

SHA1
a433cd0b27a67d883d404662230923c2262bae75

SHA256
cad6e2a73119072971ebdc8fa2deedb187499694e952e4de23e591be6003ebbd

SHA512
6b229028742537bb657162befcc622f44842480173df9c90968aaaf0b1d10d6f96420ba7501b59479ef4cff8a44566dc6fb746abbfe538170f39be1ecb130d80

Download Submit
memory/464-56-0x0000000000000000-mapping.dmp

Download
memory/836-70-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-76-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-62-0x0000000002300000-0x0000000002570000-memory.dmp

Filesize
2.4MB

Download
memory/836-63-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-64-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-68-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-58-0x0000000000000000-mapping.dmp

Download
memory/836-74-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-75-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-61-0x0000000002300000-0x0000000002570000-memory.dmp

Filesize
2.4MB

Download
memory/836-77-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-78-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-79-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-81-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/836-83-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1576-55-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1760-82-0x0000000000000000-mapping.dmp

Download
memory/1760-87-0x0000000002380000-0x00000000025F0000-memory.dmp

Filesize
2.4MB

Download
memory/1760-88-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads