vjw0rm | a83a0eedfbf72c7be9ffa9c6463dcd2894c9a8a58e1ad159c3c53e0c5320f4d5

General

Target

PG4636.js
Size

25KB
MD5

3a55168bae35da0ff8a02ca13b65feec
SHA1

dcf7b48bfb2a994598d0f0a45c24121a4ee22255
SHA256

e114d03550228080f08b8053424ad98b31e285b64b5dc4d1476b93cc5a6ccfe3
SHA512

1cb2db2a7beedcb84ade4fb6d91f5408932d4acfb94ae08fac98c7571e544af6b57475469f7f49cf4348bd8852df2bd8e5fc9b931bfa18ac38e2d447a1411b74

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://spdxx.ddns.net:5050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	472	wscript.exe
9	1492	wscript.exe
10	1492	wscript.exe
13	1492	wscript.exe
15	1492	wscript.exe
18	1492	wscript.exe
19	1492	wscript.exe
22	1492	wscript.exe
25	1492	wscript.exe
26	1492	wscript.exe
29	1492	wscript.exe
32	1492	wscript.exe
33	1492	wscript.exe
37	1492	wscript.exe
38	1492	wscript.exe
40	1492	wscript.exe
44	1492	wscript.exe
46	1492	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PG4636.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lCIDiaBTRx.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lCIDiaBTRx.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PG4636.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\lCIDiaBTRx.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\2JXT0X5UJW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PG4636.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1320 schtasks.exe

pid	process
1320	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 472 wrote to memory of 1492	472	wscript.exe	wscript.exe
PID 472 wrote to memory of 1492	472	wscript.exe	wscript.exe
PID 472 wrote to memory of 1492	472	wscript.exe	wscript.exe
PID 472 wrote to memory of 1320	472	wscript.exe	schtasks.exe
PID 472 wrote to memory of 1320	472	wscript.exe	schtasks.exe
PID 472 wrote to memory of 1320	472	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PG4636.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lCIDiaBTRx.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1492
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\PG4636.js
  2⤵
  - Creates scheduled task(s)
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lCIDiaBTRx.js

MD5
b194870cc96562f5965d173c6af59eec

SHA1
6bbf40751c217b162081f5e9f8f61d122f20bb0d

SHA256
a9c39c1d8c26b309f1d64b8d2689f6e89baad24f8d79527ea029e4d8f3a6c496

SHA512
e2c2bff420515185f2b58d453d51760644af697549e83f55d097f049ca40c70900ba37e2a86db5246ddf7bd8517449fe7c43518652fa67d8ca522fd7aa2e9059

Download Submit
memory/472-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1320-58-0x0000000000000000-mapping.dmp

Download
memory/1492-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads