vjw0rm | 04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6

General

Target

FedEx 20100321011 Package.js
Size

124KB
MD5

18765c6b1a20d6d90603230bca72c903
SHA1

874af995240ebd57aef18e00fcaa0f0f43583b85
SHA256

04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6
SHA512

3c58a98356b3b051797477d1e10cf2f469bed924d97edcd411b98c92436d4e3b4b91e650a0828583092ead6abd755bfdd641b95b4e0ed4e0e9ed75656ab0a5d5

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 34 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	660	wscript.exe
9	1652	wscript.exe
10	660	wscript.exe
12	1652	wscript.exe
14	660	wscript.exe
15	1652	wscript.exe
19	660	wscript.exe
20	1652	wscript.exe
22	660	wscript.exe
23	1652	wscript.exe
24	660	wscript.exe
26	1652	wscript.exe
30	660	wscript.exe
31	1652	wscript.exe
32	660	wscript.exe
34	1652	wscript.exe
36	660	wscript.exe
38	1652	wscript.exe
40	660	wscript.exe
42	1652	wscript.exe
44	660	wscript.exe
45	1652	wscript.exe
47	660	wscript.exe
49	1652	wscript.exe
52	660	wscript.exe
53	1652	wscript.exe
54	660	wscript.exe
56	1652	wscript.exe
57	660	wscript.exe
60	1652	wscript.exe
62	660	wscript.exe
64	1652	wscript.exe
66	660	wscript.exe
67	1652	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roNMkdClhb.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roNMkdClhb.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FedEx 20100321011 Package.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\0WENLYRIM2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\FedEx 20100321011 Package.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\roNMkdClhb.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe

pid	process
1964	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1652 wrote to memory of 660	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 660	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 660	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 1964	1652	wscript.exe	schtasks.exe
PID 1652 wrote to memory of 1964	1652	wscript.exe	schtasks.exe
PID 1652 wrote to memory of 1964	1652	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FedEx 20100321011 Package.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\roNMkdClhb.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\FedEx 20100321011 Package.js
2⤵
- Creates scheduled task(s)
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\roNMkdClhb.js
MD5
c7510446ac13d68ff1f041bebc605c7e

SHA1
5c35a25e7c547fadd03ff9da65b6f6afbb96fbd3

SHA256
d23f1d91a92c1c0730cef2255a8343246fac4ae8f090fca71d823aa368a19736

SHA512
04df165a56f675d32ba113a8a989c208a5954a016bf780912a2c1b9dc1951afa746f97beacb480b94889da63baea9211066d93cf2d1342d1615e936d8ccaaa30

Download Submit
memory/660-56-0x0000000000000000-mapping.dmp

Download
memory/1652-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download
memory/1964-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads