vjw0rm | 4dd51675717f0f703ecbfa8e39c69a3038d2a3a42927a1cb5ab0271d3bfebbb4

General

Target

KBH-209294916.js
Size

317KB
MD5

7af00552a9b9ae64342d289f60c43627
SHA1

dae12e7429417f66e4419bfc6cb1b0f1e820c7c9
SHA256

4dd51675717f0f703ecbfa8e39c69a3038d2a3a42927a1cb5ab0271d3bfebbb4
SHA512

dbde91eaf3dff80b491e96336d90992f8ce3251e4ce3dd4f510135fedd7ef3b8810daaa4171eb64805780500e2ff5a44b1501ae0467eeba2b5d29254059e3f07

Score

10^/10

vjw0rm xloader pzi0 loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

C2

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1064-75-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1064-76-0x000000000041D480-mapping.dmp	xloader
behavioral1/memory/1308-84-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exe

flow	pid	process
5	1348	wscript.exe
7	1348	wscript.exe
9	1348	wscript.exe
13	1348	wscript.exe
14	1348	wscript.exe
15	1348	wscript.exe
17	1348	wscript.exe
18	1348	wscript.exe
19	1348	wscript.exe
21	1348	wscript.exe
24	1348	wscript.exe
29	1348	wscript.exe
33	1348	wscript.exe
37	1348	wscript.exe
40	1348	wscript.exe
44	1348	wscript.exe
47	1348	wscript.exe
50	1348	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

business1.exebusiness1.exe

pid process

1144 business1.exe
1064 business1.exe

pid	process
1144	business1.exe
1064	business1.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpNUJIEMR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpNUJIEMR.js	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

business1.exe

pid process

1144 business1.exe

pid	process
1144	business1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\pYpNUJIEMR.js\""	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

business1.exebusiness1.exewlanext.exe

description	pid	process	target process
PID 1144 set thread context of 1064	1144	business1.exe	business1.exe
PID 1064 set thread context of 1384	1064	business1.exe	Explorer.EXE
PID 1308 set thread context of 1384	1308	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exebusiness1.exebusiness1.exewlanext.exe

pid	process
1036	powershell.exe
984	powershell.exe
1144	business1.exe
1144	business1.exe
1064	business1.exe
1064	business1.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe
1308	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

business1.exewlanext.exe

pid process

1064 business1.exe
1064 business1.exe
1064 business1.exe
1308 wlanext.exe
1308 wlanext.exe

pid	process
1064	business1.exe
1064	business1.exe
1064	business1.exe
1308	wlanext.exe
1308	wlanext.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

business1.exepowershell.exepowershell.exebusiness1.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	1144	business1.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeIncreaseQuotaPrivilege	1036	powershell.exe
Token: SeSecurityPrivilege	1036	powershell.exe
Token: SeTakeOwnershipPrivilege	1036	powershell.exe
Token: SeLoadDriverPrivilege	1036	powershell.exe
Token: SeSystemProfilePrivilege	1036	powershell.exe
Token: SeSystemtimePrivilege	1036	powershell.exe
Token: SeProfSingleProcessPrivilege	1036	powershell.exe
Token: SeIncBasePriorityPrivilege	1036	powershell.exe
Token: SeCreatePagefilePrivilege	1036	powershell.exe
Token: SeBackupPrivilege	1036	powershell.exe
Token: SeRestorePrivilege	1036	powershell.exe
Token: SeShutdownPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeSystemEnvironmentPrivilege	1036	powershell.exe
Token: SeRemoteShutdownPrivilege	1036	powershell.exe
Token: SeUndockPrivilege	1036	powershell.exe
Token: SeManageVolumePrivilege	1036	powershell.exe
Token: 33	1036	powershell.exe
Token: 34	1036	powershell.exe
Token: 35	1036	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeIncreaseQuotaPrivilege	984	powershell.exe
Token: SeSecurityPrivilege	984	powershell.exe
Token: SeTakeOwnershipPrivilege	984	powershell.exe
Token: SeLoadDriverPrivilege	984	powershell.exe
Token: SeSystemProfilePrivilege	984	powershell.exe
Token: SeSystemtimePrivilege	984	powershell.exe
Token: SeProfSingleProcessPrivilege	984	powershell.exe
Token: SeIncBasePriorityPrivilege	984	powershell.exe
Token: SeCreatePagefilePrivilege	984	powershell.exe
Token: SeBackupPrivilege	984	powershell.exe
Token: SeRestorePrivilege	984	powershell.exe
Token: SeShutdownPrivilege	984	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeSystemEnvironmentPrivilege	984	powershell.exe
Token: SeRemoteShutdownPrivilege	984	powershell.exe
Token: SeUndockPrivilege	984	powershell.exe
Token: SeManageVolumePrivilege	984	powershell.exe
Token: 33	984	powershell.exe
Token: 34	984	powershell.exe
Token: 35	984	powershell.exe
Token: SeDebugPrivilege	1064	business1.exe
Token: SeDebugPrivilege	1308	wlanext.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

wscript.exebusiness1.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1424 wrote to memory of 1348	1424	wscript.exe	wscript.exe
PID 1424 wrote to memory of 1348	1424	wscript.exe	wscript.exe
PID 1424 wrote to memory of 1348	1424	wscript.exe	wscript.exe
PID 1424 wrote to memory of 1144	1424	wscript.exe	business1.exe
PID 1424 wrote to memory of 1144	1424	wscript.exe	business1.exe
PID 1424 wrote to memory of 1144	1424	wscript.exe	business1.exe
PID 1424 wrote to memory of 1144	1424	wscript.exe	business1.exe
PID 1144 wrote to memory of 1036	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 1036	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 1036	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 1036	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 984	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 984	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 984	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 984	1144	business1.exe	powershell.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1144 wrote to memory of 1064	1144	business1.exe	business1.exe
PID 1384 wrote to memory of 1308	1384	Explorer.EXE	wlanext.exe
PID 1384 wrote to memory of 1308	1384	Explorer.EXE	wlanext.exe
PID 1384 wrote to memory of 1308	1384	Explorer.EXE	wlanext.exe
PID 1384 wrote to memory of 1308	1384	Explorer.EXE	wlanext.exe
PID 1308 wrote to memory of 928	1308	wlanext.exe	cmd.exe
PID 1308 wrote to memory of 928	1308	wlanext.exe	cmd.exe
PID 1308 wrote to memory of 928	1308	wlanext.exe	cmd.exe
PID 1308 wrote to memory of 928	1308	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\KBH-209294916.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pYpNUJIEMR.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1348

C:\Users\Admin\AppData\Local\Temp\business1.exe
"C:\Users\Admin\AppData\Local\Temp\business1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Users\Admin\AppData\Local\Temp\business1.exe
C:\Users\Admin\AppData\Local\Temp\business1.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\business1.exe"
3⤵
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\business1.exe
MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\business1.exe
MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\business1.exe
MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
2dc98df615c30ec0db90d58767d1eba3

SHA1
ac3d7ba1be985b4de8622fd85bf72becc458d06a

SHA256
5fa1a80b1d40a88f67d31be0defaea9e02fd3a09422ef640328a1f7138283984

SHA512
95fc164acfdd441ea4ffbe37a7feb77e589d2c3929c2ba88098ea3c010d5a21f9027b70da6cb6d55e2e96c5494f58dbf9b1ea9103162b642419afb5946a29424

Download Submit
C:\Users\Admin\AppData\Roaming\pYpNUJIEMR.js
MD5
56394f31c4ebe4c2569a078dc11f8b59

SHA1
72746e1bf2ab9def45d0bb3ecb09fbe42a132271

SHA256
1e5307933ab0b9a516b099fd4ffbcd0a80cb057076fd932fe3d70b257191226a

SHA512
b06d914c1c658d67414be6332c8855e462c3b4e59dfeb3b8cac6dca882795448f6ea664cfa9e83c30b0a7354a959c521c892dd4e4aad390b001f304abb716ca1

Download Submit
\Users\Admin\AppData\Local\Temp\business1.exe
MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
memory/928-85-0x0000000000000000-mapping.dmp

Download
memory/984-67-0x0000000000000000-mapping.dmp

Download
memory/1036-66-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1036-65-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1036-64-0x0000000000000000-mapping.dmp

Download
memory/1064-80-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/1064-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1064-76-0x000000000041D480-mapping.dmp

Download
memory/1064-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1064-79-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/1064-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1144-63-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1144-58-0x0000000000000000-mapping.dmp

Download
memory/1144-70-0x0000000008560000-0x00000000085E1000-memory.dmp

Filesize
516KB

Download
memory/1144-71-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/1144-61-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1308-82-0x0000000000000000-mapping.dmp

Download
memory/1308-83-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/1308-84-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1308-86-0x0000000001F20000-0x0000000002223000-memory.dmp

Filesize
3.0MB

Download
memory/1308-87-0x00000000008F0000-0x0000000000980000-memory.dmp

Filesize
576KB

Download
memory/1348-56-0x0000000000000000-mapping.dmp

Download
memory/1384-81-0x00000000070A0000-0x0000000007179000-memory.dmp

Filesize
868KB

Download
memory/1384-88-0x0000000006AC0000-0x0000000006C03000-memory.dmp

Filesize
1.3MB

Download
memory/1424-55-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads