vjw0rm | b92e1f81e2d7173920660713191630a8c2012e22540d247cc42357163b35322f

General

Target

SKM_71221.js
Size

188KB
MD5

7ffbe101071f11f8aac5803111017b68
SHA1

c5eca7d30dc157d2574d64c50a3c00c74ce9dc7b
SHA256

b92e1f81e2d7173920660713191630a8c2012e22540d247cc42357163b35322f
SHA512

cd346aa7403f384d63400d6eded77a3eaf26edd65dab987f4e3c035f5f6c0e50feba907159bf733e8b98a57a99014c09cfa1f7e35462722245e8d6e013d04ff6

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://spdxx.ddns.net:5050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	1932	wscript.exe
9	896	wscript.exe
11	896	wscript.exe
13	896	wscript.exe
16	896	wscript.exe
18	896	wscript.exe
20	896	wscript.exe
22	896	wscript.exe
24	896	wscript.exe
27	896	wscript.exe
30	896	wscript.exe
31	896	wscript.exe
33	896	wscript.exe
36	896	wscript.exe
38	896	wscript.exe
40	896	wscript.exe
43	896	wscript.exe
45	896	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKM_71221.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doiNDNkXjX.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doiNDNkXjX.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\doiNDNkXjX.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\0WENLYRIM2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\SKM_71221.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

832 schtasks.exe

pid	process
832	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1932 wrote to memory of 896	1932	wscript.exe	wscript.exe
PID 1932 wrote to memory of 896	1932	wscript.exe	wscript.exe
PID 1932 wrote to memory of 896	1932	wscript.exe	wscript.exe
PID 1932 wrote to memory of 832	1932	wscript.exe	schtasks.exe
PID 1932 wrote to memory of 832	1932	wscript.exe	schtasks.exe
PID 1932 wrote to memory of 832	1932	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SKM_71221.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\doiNDNkXjX.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:896
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SKM_71221.js
  2⤵
  - Creates scheduled task(s)
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\doiNDNkXjX.js

MD5
49c8b366e0b9a825a0549ab0c9d3c923

SHA1
2a2cd65eda4e33d461baf3ff1e9eed1121ed8db5

SHA256
ea51f4a1f96b69887d82e8dd79df0c4baaa7d07bd52e59a8fedcdd0381ccb213

SHA512
afb2a921e494a2984382cab9d1d425a300de90e850503dfc8b886e12b9d33bb486eb1004030cb9c62cbb83dc38abb8f51b2ca98d9374370e358729d4b25f776c

Download Submit
memory/832-58-0x0000000000000000-mapping.dmp

Download
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/1932-55-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads