vjw0rm | c2d776ff9f6d544f34a52370f0160ab65c74a633ba8c98aeead56fafc71a2af0

General

Target

RFQ_SHIPREPAIRANDSPAREPARTS SUPPLY SHEET pdf.js
Size

557KB
MD5

7eef8f4251de5e1aa8554248af33d922
SHA1

344526610dce8c83ebfe01400100b10c96d9af33
SHA256

c2d776ff9f6d544f34a52370f0160ab65c74a633ba8c98aeead56fafc71a2af0
SHA512

35092f2478e686b2889211f028f572f98789e291d731e72f05aec35b3aa4517ea544a1086a19a7a2b0cca98bc1c6d7217dd34db7564cbfd17f290c63e5adac51

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
9	2412	WScript.exe
10	2412	WScript.exe
13	2412	WScript.exe
20	2412	WScript.exe
25	2412	WScript.exe
28	2412	WScript.exe
29	2412	WScript.exe
36	2412	WScript.exe
37	2412	WScript.exe
38	2412	WScript.exe
39	2412	WScript.exe
40	2412	WScript.exe
41	2412	WScript.exe
42	2412	WScript.exe
43	2412	WScript.exe
44	2412	WScript.exe
45	2412	WScript.exe
46	2412	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fRpmSwrjJv.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fRpmSwrjJv.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fRpmSwrjJv.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1548 wrote to memory of 2412	1548	wscript.exe	WScript.exe
PID 1548 wrote to memory of 2412	1548	wscript.exe	WScript.exe
PID 1548 wrote to memory of 2784	1548	wscript.exe	javaw.exe
PID 1548 wrote to memory of 2784	1548	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ_SHIPREPAIRANDSPAREPARTS SUPPLY SHEET pdf.js"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fRpmSwrjJv.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2412

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\urggozvqr.txt"
2⤵
- Drops file in Program Files directory
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fRpmSwrjJv.js
MD5
00d85f5083184e38d853cff484c63356

SHA1
f2217905fb367c4b237598cfce2878d968e342e2

SHA256
25ffd7f69dbdfd9b0660606f06b7f933f4b3577f9f0dcc83214d8bea4fa538af

SHA512
0f127aecfe64e9ee578c24435671be1e6645b0b9fb2ce257c6c54bfb828c217a765338211cc338262402cf6b4e0cae2fc8fddd48d9ae8a7a20e045b56004bb53

Download Submit
C:\Users\Admin\AppData\Roaming\urggozvqr.txt
MD5
d7af6f48833d4d696e9fee852108e5fc

SHA1
a433cd0b27a67d883d404662230923c2262bae75

SHA256
cad6e2a73119072971ebdc8fa2deedb187499694e952e4de23e591be6003ebbd

SHA512
6b229028742537bb657162befcc622f44842480173df9c90968aaaf0b1d10d6f96420ba7501b59479ef4cff8a44566dc6fb746abbfe538170f39be1ecb130d80

Download Submit
memory/2412-115-0x0000000000000000-mapping.dmp

Download
memory/2784-121-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2784-119-0x0000000002670000-0x00000000028E0000-memory.dmp

Filesize
2.4MB

Download
memory/2784-120-0x0000000002670000-0x00000000028E0000-memory.dmp

Filesize
2.4MB

Download
memory/2784-117-0x0000000000000000-mapping.dmp

Download
memory/2784-124-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2784-126-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/2784-127-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2784-128-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2784-130-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/2784-131-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads