vjw0rm | 4f530abf5bd586ec60a6180e0954c538992b0d440d208873eae7312c0324f39d

General

Target

A1_DBBTTQPS.js
Size

204KB
MD5

9aa0ce6ee10299ddc0e0595e08716eaf
SHA1

d66f2c1d3689201c8e4120113d23007e64ffe479
SHA256

4f530abf5bd586ec60a6180e0954c538992b0d440d208873eae7312c0324f39d
SHA512

157f8add99042e9282236a7428d623d510484439ec2ca79eb33abd1e04f58f63dfab4f6b4346abefdd1e62b335c9a40cbd82606e66ffb4dc9bf67919f9dab189

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow pid process

9 2264 WScript.exe
10 2264 WScript.exe
19 2264 WScript.exe
20 2264 WScript.exe
28 2264 WScript.exe
29 2264 WScript.exe

flow	pid	process
9	2264	WScript.exe
10	2264	WScript.exe
19	2264	WScript.exe
20	2264	WScript.exe
28	2264	WScript.exe
29	2264	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nySyliNvdG.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nySyliNvdG.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\nySyliNvdG.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3460 wrote to memory of 2264	3460	wscript.exe	WScript.exe
PID 3460 wrote to memory of 2264	3460	wscript.exe	WScript.exe
PID 3460 wrote to memory of 500	3460	wscript.exe	javaw.exe
PID 3460 wrote to memory of 500	3460	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\A1_DBBTTQPS.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nySyliNvdG.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2264

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dvfdgdq.txt"
2⤵
PID:500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dvfdgdq.txt
MD5
e5c57969a139fa14269758cb8cc8f9a7

SHA1
432f65c2b1da28b421eac3956d8cefd72f04ae6a

SHA256
b2b661ff89ba10a5a27a06df63a9ffd158b254aff5f38a96ff5c1f6344959501

SHA512
526f7f1717488c87457353d78480ec590d5abf5bf6bdc697dc92433c26a949c649b94bd83cfc7891c24fbc5e96414793fb9a192f77a3ded9ad434d8524a215d5

Download Submit
C:\Users\Admin\AppData\Roaming\nySyliNvdG.js
MD5
1e5205082ecf95e315797f2e5a071c4c

SHA1
675aa142f863d3fb0e57855d3b690dc875bcfac9

SHA256
607a9649bfbc3dd7e06ce93fdd68a543e8ee498d37d898650fc64659500bf4e9

SHA512
33e65c44ac8c0ce1f8d6325d55c931ba645d0d752196dc148d0bc0cdab075f863d380220f0f9ad105a98cba848baaa0bf6d6436ffcbe23a21be7177e55e49c83

Download Submit
memory/500-139-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-124-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-145-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/500-123-0x0000000002820000-0x0000000002A90000-memory.dmp

Filesize
2.4MB

Download
memory/500-146-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/500-128-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-129-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-131-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/500-132-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/500-133-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-134-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/500-161-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-198-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-144-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/500-122-0x0000000002820000-0x0000000002A90000-memory.dmp

Filesize
2.4MB

Download
memory/500-120-0x0000000000000000-mapping.dmp

Download
memory/500-135-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/500-167-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/500-168-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/500-171-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/500-172-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/500-175-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/500-177-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/500-179-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/500-186-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/500-188-0x0000000002B70000-0x0000000002B80000-memory.dmp

Filesize
64KB

Download
memory/500-190-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/500-194-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/2264-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads