vjw0rm | c3da9ad059ebf2feea9281e72b475091b215b5c6233bf2d71d17dc76a6f6c042

General

Target

Purchase Contract.js
Size

132KB
MD5

4e2103da07ac50314867c6c67de21698
SHA1

e25285f2e2692f879f52eb48b35f81891fae5a9c
SHA256

c3da9ad059ebf2feea9281e72b475091b215b5c6233bf2d71d17dc76a6f6c042
SHA512

bfbc1a9ab5ee0942e9652d02b7efbc558eda5fce6ef6c72656024f80a2388b267e4590f1c07c5d18dfcdfc8fcf02dddcdaff7821d113e45b5a783fcbe39932a5

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://spdxx.ddns.net:5050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exewscript.exe

flow pid process

8 1652 wscript.exe
9 472 wscript.exe
14 472 wscript.exe
17 472 wscript.exe
21 472 wscript.exe
24 472 wscript.exe
27 472 wscript.exe

flow	pid	process
8	1652	wscript.exe
9	472	wscript.exe
14	472	wscript.exe
17	472	wscript.exe
21	472	wscript.exe
24	472	wscript.exe
27	472	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MNCmIczjPW.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MNCmIczjPW.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Contract.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Contract.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\MNCmIczjPW.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\R4J2SBXQ4G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Purchase Contract.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1744 schtasks.exe

pid	process
1744	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1652 wrote to memory of 472	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 472	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 472	1652	wscript.exe	wscript.exe
PID 1652 wrote to memory of 1744	1652	wscript.exe	schtasks.exe
PID 1652 wrote to memory of 1744	1652	wscript.exe	schtasks.exe
PID 1652 wrote to memory of 1744	1652	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Contract.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MNCmIczjPW.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:472

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Purchase Contract.js
2⤵
- Creates scheduled task(s)
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MNCmIczjPW.js
MD5
39926685a5c8c06fb72e19e3354926cc

SHA1
35bada3b89fa78d630125bf77dd57190a357cfd0

SHA256
ec5662622f67e877da0b497bcea85ca0233a55f1a5e25072b4a3080d0b412f4b

SHA512
11c7b474fed566ac8415e66de8860491187bd60a177bc8b5de0ee1d0d1db935205afe2414c6c35881ae469996a42d1bb9209e36d17c9da60d50b7257e88d1f40

Download Submit
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads