vjw0rm | 02a75696ab10f5203c0ef720767311d56aa63fb80a3a2191f134a944a84d421b

General

Target

receipt_usps.js
Size

22KB
MD5

42c752340356522cee767e5c2afe5f7c
SHA1

153c7a7151a22ae7cb895a64cdaa2ae4bcce6cd4
SHA256

02a75696ab10f5203c0ef720767311d56aa63fb80a3a2191f134a944a84d421b
SHA512

f1c72c16f667597bc39df48fbcf4c7614c8c8f31d75981e7edf9f463d88f7137b74fb44c11222eec6f32aa2e35eaf31e49ad2ef319191c943d0fde23efcc3824

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9999

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 19 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	268	wscript.exe
9	1448	wscript.exe
10	268	wscript.exe
13	268	wscript.exe
15	268	wscript.exe
18	268	wscript.exe
20	268	wscript.exe
23	268	wscript.exe
25	268	wscript.exe
26	268	wscript.exe
30	268	wscript.exe
31	268	wscript.exe
33	268	wscript.exe
36	268	wscript.exe
39	268	wscript.exe
40	268	wscript.exe
43	268	wscript.exe
45	268	wscript.exe
48	268	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt_usps.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FozIlvIDCR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FozIlvIDCR.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\TJIPC622E2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt_usps.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\FozIlvIDCR.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1812 schtasks.exe

pid	process
1812	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1448 wrote to memory of 268	1448	wscript.exe	wscript.exe
PID 1448 wrote to memory of 268	1448	wscript.exe	wscript.exe
PID 1448 wrote to memory of 268	1448	wscript.exe	wscript.exe
PID 1448 wrote to memory of 1812	1448	wscript.exe	schtasks.exe
PID 1448 wrote to memory of 1812	1448	wscript.exe	schtasks.exe
PID 1448 wrote to memory of 1812	1448	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt_usps.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FozIlvIDCR.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:268

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\receipt_usps.js
2⤵
- Creates scheduled task(s)
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FozIlvIDCR.js
MD5
d35d60a7f0d9b10ff20a4f70ced63b36

SHA1
380533bfc9a3d34763770651240cb4a4e9c65179

SHA256
793ebcbdadc99a75b521664c69c548fbfdeea48e71aba57dc9ad54bc058d05cd

SHA512
e2fc30ff2da35f54bfe0c736050318ee6730657ec109e64ac16f33ffe323af9ba3a283477282b796a2acc6d27f3facf93900dbe671d92f4bf473bbdd62543cb1

Download Submit
memory/268-55-0x0000000000000000-mapping.dmp

Download
memory/1812-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads