vjw0rm | 77fb77cd4b1780a5d28c3aac47572f51c7e6ca4c729a21b2ce19810b9933a382

General

Target

PAYMENT SLIP.js
Size

729KB
MD5

085113cb8916d7a3a31640f56e1cf857
SHA1

32c0250d89f8c632fd2df14e056b74826a258752
SHA256

77fb77cd4b1780a5d28c3aac47572f51c7e6ca4c729a21b2ce19810b9933a382
SHA512

1215ef4a2754d6b7c9105040e74ed70de624a964008284432fe98750ec92d2d538a675b0353c18ccbceb056efb9a16033254523c2bf7c0c2519e2d3f0a9f1c12

Score

10^/10

vjw0rm xloader pzi0 loader persistence rat suricata trojan worm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wealth.exe	xloader
behavioral1/memory/1832-65-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
C:\Users\Admin\AppData\Local\Temp\wealth.exe	xloader

Blocklisted process makes network request 17 IoCs

Processes:

wscript.exe

flow	pid	process
5	1556	wscript.exe
6	1556	wscript.exe
8	1556	wscript.exe
13	1556	wscript.exe
16	1556	wscript.exe
21	1556	wscript.exe
24	1556	wscript.exe
27	1556	wscript.exe
32	1556	wscript.exe
36	1556	wscript.exe
40	1556	wscript.exe
43	1556	wscript.exe
47	1556	wscript.exe
49	1556	wscript.exe
54	1556	wscript.exe
58	1556	wscript.exe
62	1556	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

wealth.exe

pid process

560 wealth.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGihbLxwSE.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGihbLxwSE.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\lGihbLxwSE.js\""	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

wealth.exeNETSTAT.EXE

description	pid	process	target process
PID 560 set thread context of 1448	560	wealth.exe	Explorer.EXE
PID 1832 set thread context of 1448	1832	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1832 NETSTAT.EXE

pid	process
1832	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

wealth.exeNETSTAT.EXE

pid	process
560	wealth.exe
560	wealth.exe
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE
1832	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1448 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

wealth.exeNETSTAT.EXE

pid process

560 wealth.exe
560 wealth.exe
560 wealth.exe
1832 NETSTAT.EXE
1832 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wealth.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 560 wealth.exe
Token: SeDebugPrivilege 1832 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1448 Explorer.EXE
1448 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1448 Explorer.EXE
1448 Explorer.EXE

pid	process
1448	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	560	wealth.exe
Token: SeDebugPrivilege	1832	NETSTAT.EXE

pid	process
1448	Explorer.EXE
1448	Explorer.EXE

pid	process
1448	Explorer.EXE
1448	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1180 wrote to memory of 1556	1180	wscript.exe	wscript.exe
PID 1180 wrote to memory of 1556	1180	wscript.exe	wscript.exe
PID 1180 wrote to memory of 1556	1180	wscript.exe	wscript.exe
PID 1180 wrote to memory of 560	1180	wscript.exe	wealth.exe
PID 1180 wrote to memory of 560	1180	wscript.exe	wealth.exe
PID 1180 wrote to memory of 560	1180	wscript.exe	wealth.exe
PID 1180 wrote to memory of 560	1180	wscript.exe	wealth.exe
PID 1448 wrote to memory of 1832	1448	Explorer.EXE	NETSTAT.EXE
PID 1448 wrote to memory of 1832	1448	Explorer.EXE	NETSTAT.EXE
PID 1448 wrote to memory of 1832	1448	Explorer.EXE	NETSTAT.EXE
PID 1448 wrote to memory of 1832	1448	Explorer.EXE	NETSTAT.EXE
PID 1832 wrote to memory of 296	1832	NETSTAT.EXE	cmd.exe
PID 1832 wrote to memory of 296	1832	NETSTAT.EXE	cmd.exe
PID 1832 wrote to memory of 296	1832	NETSTAT.EXE	cmd.exe
PID 1832 wrote to memory of 296	1832	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lGihbLxwSE.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\wealth.exe
    "C:\Users\Admin\AppData\Local\Temp\wealth.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\wealth.exe"
    3⤵
    PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wealth.exe

MD5
83481bf872730cd133669c5ea5b1be2b

SHA1
fbd2369965b20f6bee09063aa454de13a18c71d3

SHA256
5d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8

SHA512
9080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\wealth.exe

MD5
83481bf872730cd133669c5ea5b1be2b

SHA1
fbd2369965b20f6bee09063aa454de13a18c71d3

SHA256
5d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8

SHA512
9080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51

Download Submit
C:\Users\Admin\AppData\Roaming\lGihbLxwSE.js

MD5
eac628a8bcbf64e2ba7a8e85df066a64

SHA1
5ca5eba31e823f75927e8dba6e1fbb1081a73ec5

SHA256
557dcb4e31cadcf0635a3f6f0337dfe3e96a30010e8e8b2c67ea11eefbfcf11f

SHA512
9a08e7d3a21aee129d46bfdc0f8e4db954e30dcf37174fdcf8fe57874fde2762590cb12df56a9518541c82eedaa8d6ddc5043d118d4844050027606808cc2f69

Download Submit
memory/296-67-0x0000000000000000-mapping.dmp

Download
memory/560-58-0x0000000000000000-mapping.dmp

Download
memory/560-61-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/560-60-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/1180-55-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

Filesize
8KB

Download
memory/1448-62-0x0000000006730000-0x0000000006815000-memory.dmp

Filesize
916KB

Download
memory/1448-70-0x0000000003ED0000-0x0000000003F69000-memory.dmp

Filesize
612KB

Download
memory/1556-56-0x0000000000000000-mapping.dmp

Download
memory/1832-63-0x0000000000000000-mapping.dmp

Download
memory/1832-64-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/1832-65-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1832-68-0x0000000002100000-0x0000000002403000-memory.dmp

Filesize
3.0MB

Download
memory/1832-69-0x0000000001E50000-0x0000000001EE0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads