vjw0rm | 37dea53db80a227936238a3e43a474a48114b3f209cf2d44606735a5cfecf727

General

Target

Signed agreement documents.js
Size

272KB
MD5

c15a7e48753b74413ffd8c4bedebf689
SHA1

0673e275a19a4f35b09c24941cf9baaae57e3b36
SHA256

37dea53db80a227936238a3e43a474a48114b3f209cf2d44606735a5cfecf727
SHA512

e3d7ed11f895999c564d34aba8ae293dae8ab1e3498f32cdbbb6af828d4550971db2c1ab903315461be58afdb0a8fd1f5a7eeea81869f68d473df32b45c2fde0

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 19 IoCs

Processes:

WScript.exe

flow	pid	process
9	3892	WScript.exe
18	3892	WScript.exe
19	3892	WScript.exe
26	3892	WScript.exe
27	3892	WScript.exe
28	3892	WScript.exe
29	3892	WScript.exe
30	3892	WScript.exe
32	3892	WScript.exe
33	3892	WScript.exe
34	3892	WScript.exe
35	3892	WScript.exe
36	3892	WScript.exe
37	3892	WScript.exe
38	3892	WScript.exe
39	3892	WScript.exe
40	3892	WScript.exe
41	3892	WScript.exe
42	3892	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBPnCuqwkU.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBPnCuqwkU.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\kBPnCuqwkU.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2668 wrote to memory of 3892	2668	wscript.exe	WScript.exe
PID 2668 wrote to memory of 3892	2668	wscript.exe	WScript.exe
PID 2668 wrote to memory of 1948	2668	wscript.exe	javaw.exe
PID 2668 wrote to memory of 1948	2668	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Signed agreement documents.js"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kBPnCuqwkU.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3892

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pxoqbv.txt"
2⤵
- Drops file in Program Files directory
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kBPnCuqwkU.js
MD5
d70eaf98a3d76fd9734962cc7a770997

SHA1
d981a9ff4cb9859a0139f2170268bc3ab289fec9

SHA256
cf853567cef87bd09cc6dbe0ff5840e587a74768c831a91f58c150bef3d47a9c

SHA512
255480b15b594605a2300a5c036ec11527c9d18ebe789fc5d85ff77774e7636437e8a8ad43b06e8a67919edf4e530f26ced35b51b3dc0937fa45af2d6e1dbcd7

Download Submit
C:\Users\Admin\AppData\Roaming\pxoqbv.txt
MD5
3bbd2a35537d45e465e726ceb068e721

SHA1
1fd2e5d632edeea94e688aacabc373ebe3af11c7

SHA256
d10a6e46e300e0b6ab0c038b33cdc173b844f5895a994232e5f5d4b0a39215c7

SHA512
89776550c479e12d342b53de4ac5bb512f3546eac9e52186cc080c836b4757e665931b416bee2849e2426fceb1b12e3cb376fbf628282dc3ef28378b16b39808

Download Submit
memory/1948-117-0x0000000000000000-mapping.dmp

Download
memory/1948-119-0x0000000003160000-0x00000000033D0000-memory.dmp

Filesize
2.4MB

Download
memory/1948-120-0x0000000003160000-0x00000000033D0000-memory.dmp

Filesize
2.4MB

Download
memory/1948-121-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/1948-123-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/1948-125-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/1948-124-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/1948-126-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/1948-127-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/3892-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads