vjw0rm | 63bca571548f7d4b53522b9c39667baf14a6341c299960098c508dfb55697ac7

General

Target

Purchase Contract.js
Size

31KB
MD5

015a0a4c64c8ce840ffe844b3be1584b
SHA1

8aa1cd8dfc3e03f20a20ee8f647c74a884895f60
SHA256

63bca571548f7d4b53522b9c39667baf14a6341c299960098c508dfb55697ac7
SHA512

b72fd08b996ec54556f4de7c94eb6bf1b05d94c98077420eac7c89cdbfa21e7a8e423afa283f8b1752518a194f7d37e4f1458b80cf16c214624c4aaafbe21a8f

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 37 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
11	1424	wscript.exe
12	3936	wscript.exe
16	3936	wscript.exe
17	1424	wscript.exe
22	3936	wscript.exe
23	1424	wscript.exe
34	3936	wscript.exe
35	1424	wscript.exe
36	3936	wscript.exe
39	1424	wscript.exe
40	3936	wscript.exe
41	1424	wscript.exe
42	3936	wscript.exe
43	1424	wscript.exe
44	3936	wscript.exe
47	1424	wscript.exe
48	3936	wscript.exe
49	1424	wscript.exe
50	3936	wscript.exe
51	1424	wscript.exe
52	3936	wscript.exe
53	1424	wscript.exe
54	3936	wscript.exe
55	1424	wscript.exe
56	3936	wscript.exe
57	1424	wscript.exe
58	3936	wscript.exe
59	1424	wscript.exe
60	3936	wscript.exe
61	1424	wscript.exe
62	3936	wscript.exe
63	1424	wscript.exe
64	3936	wscript.exe
65	1424	wscript.exe
66	3936	wscript.exe
67	1424	wscript.exe
68	3936	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RRXVpOavDl.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RRXVpOavDl.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Contract.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\RRXVpOavDl.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\0WENLYRIM2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Contract.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1996 schtasks.exe

pid	process
1996	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1424 wrote to memory of 3936	1424	wscript.exe	wscript.exe
PID 1424 wrote to memory of 3936	1424	wscript.exe	wscript.exe
PID 1424 wrote to memory of 1996	1424	wscript.exe	schtasks.exe
PID 1424 wrote to memory of 1996	1424	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Contract.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RRXVpOavDl.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3936
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Purchase Contract.js
  2⤵
  - Creates scheduled task(s)
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RRXVpOavDl.js

MD5
dfdc9c79b321d87cc8dcbb361a69ecb5

SHA1
7d430e4ef2ecaf4db5e42789a56b2ea4e280b35c

SHA256
f99f5c043620cf790857f1a2c8906a9323c57a5b6fa6a59acd571eb1bfc68328

SHA512
4856afcf1953a9056253af8baa39b6d9283aa17153903c3c671785e51ac2ccf7aa104fac5e4c2fb4098d1f1ed6a9c9212cfe2ebbbbe6f46fc53ebec96537705f

Download Submit
memory/1996-120-0x0000000000000000-mapping.dmp

Download
memory/3936-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads