vjw0rm | 556e3aa4f1bdf16c72a2ab22884b935936386f69ca4977a6e815bcc1eb3b9408

General

Target

SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
Size

491KB
MD5

87abfdba2290a31df0d97e91cc4b1195
SHA1

04ccec1a839efb216cfab4c6bf35e25b1b320157
SHA256

556e3aa4f1bdf16c72a2ab22884b935936386f69ca4977a6e815bcc1eb3b9408
SHA512

bcf7c1528ca72669d43d495f5daa21417f757dbd825593cf6589bf9502e3866b7860a807be81a92d9d20dc2dee4ca84bae85dabcddec3a53b83ba336a840aa9c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

11 2328 WScript.exe
26 2328 WScript.exe
27 2328 WScript.exe
35 2328 WScript.exe

flow	pid	process
11	2328	WScript.exe
26	2328	WScript.exe
27	2328	WScript.exe
35	2328	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiCIKHrGSI.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiCIKHrGSI.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\oiCIKHrGSI.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3988 wrote to memory of 2328	3988	wscript.exe	WScript.exe
PID 3988 wrote to memory of 2328	3988	wscript.exe	WScript.exe
PID 3988 wrote to memory of 3976	3988	wscript.exe	javaw.exe
PID 3988 wrote to memory of 3976	3988	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oiCIKHrGSI.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2328

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wgpwpbh.txt"
2⤵
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\oiCIKHrGSI.js
MD5
038c57a99948f84dc9f7d28c8222ae1d

SHA1
106c916e61361f0909d333dcfa443c5133f60c30

SHA256
1c5eca10e29f34a1815b9e8b10e08992e8649dfcfe9179c8038e2742a3ea024c

SHA512
81861c121e3ea75b79b492bbc88d29f92161c24d14fc830bf96445289c8962efefcabe24db3e30dfb8010ba81e9bdb9b6b41ad77c5b4ccf75f8aa33a8219411b

Download Submit
C:\Users\Admin\AppData\Roaming\wgpwpbh.txt
MD5
93b2bbdc3ac1b3ce7de0e30ac58dd1cd

SHA1
0d14da204efe243dcd0cdbad4ebaf856520f2cf8

SHA256
384b9601ed610345bbc487045c94b01c9ba182edcf25e01fc57cd3f06b6eaed1

SHA512
bb040ec34a8cef35cc7507968186d529fccc313a9a88ac0e43affacba9d4392eeb5745212c07b7f83e427662529f0b4edfb1bc1921430d7e1df46e5b0defd04d

Download Submit
memory/2328-115-0x0000000000000000-mapping.dmp

Download
memory/3976-147-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/3976-242-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/3976-120-0x0000000002C90000-0x0000000002F00000-memory.dmp

Filesize
2.4MB

Download
memory/3976-121-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-123-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-124-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/3976-127-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-128-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-149-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3976-129-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3976-131-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/3976-135-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-138-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-137-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/3976-141-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/3976-140-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3976-143-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3976-117-0x0000000000000000-mapping.dmp

Download
memory/3976-130-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3976-119-0x0000000002C90000-0x0000000002F00000-memory.dmp

Filesize
2.4MB

Download
memory/3976-172-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/3976-158-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-167-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/3976-169-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3976-171-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3976-151-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3976-183-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3976-193-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/3976-218-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3976-224-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/3976-226-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3976-233-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3976-234-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3976-236-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/3976-238-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3976-240-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/3976-145-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/3976-245-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads