vjw0rm | ed3d74decd00483a7ff8ecc3ffaf6f1efee0f19770a6c3779ea8e88ea2cca1ab

General

Target

receipt#.js
Size

249KB
MD5

92f61597d08bb5bae2d03dc5552961a1
SHA1

6406756edf4949687a63f8e710abab24c333a5d0
SHA256

ed3d74decd00483a7ff8ecc3ffaf6f1efee0f19770a6c3779ea8e88ea2cca1ab
SHA512

3db7353f7887d2724f052eef9d2a1eb4a98d762f3573ddea9b6c2fea56ad87b7618631d41ef96ef215d5a96228acc78fcdc8d5932c7747ea4096235a1fe3d148

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 34 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	952	wscript.exe
9	760	wscript.exe
10	952	wscript.exe
12	760	wscript.exe
14	952	wscript.exe
15	760	wscript.exe
18	952	wscript.exe
20	760	wscript.exe
21	952	wscript.exe
23	760	wscript.exe
24	952	wscript.exe
27	760	wscript.exe
29	952	wscript.exe
31	760	wscript.exe
33	952	wscript.exe
34	760	wscript.exe
35	952	wscript.exe
39	952	wscript.exe
40	760	wscript.exe
43	952	wscript.exe
44	760	wscript.exe
45	952	wscript.exe
48	760	wscript.exe
49	952	wscript.exe
51	760	wscript.exe
53	952	wscript.exe
55	760	wscript.exe
56	952	wscript.exe
59	760	wscript.exe
60	952	wscript.exe
62	760	wscript.exe
64	952	wscript.exe
66	760	wscript.exe
67	952	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt#.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HgBWkFSmvu.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HgBWkFSmvu.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\HgBWkFSmvu.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSAGQWKNY8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt#.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1104 schtasks.exe

pid	process
1104	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 952 wrote to memory of 760	952	wscript.exe	wscript.exe
PID 952 wrote to memory of 760	952	wscript.exe	wscript.exe
PID 952 wrote to memory of 760	952	wscript.exe	wscript.exe
PID 952 wrote to memory of 1104	952	wscript.exe	schtasks.exe
PID 952 wrote to memory of 1104	952	wscript.exe	schtasks.exe
PID 952 wrote to memory of 1104	952	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt#.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HgBWkFSmvu.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:760

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\receipt#.js
2⤵
- Creates scheduled task(s)
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HgBWkFSmvu.js
MD5
afbb6a19d4d6d1a91ea3c920efe15681

SHA1
97ac6622bcfef23a461a1ad43ce407abc444dfda

SHA256
227a38a822bf090ff5e02c9180fdae330f3c462c349991116f1cb7b82f42200c

SHA512
e11cfdaef1417d4a164d6aa16dce1bf9b38a017bbf05dc52e8c1e2f1dd78d5ec983008bd0f7622c29986080736558e713c9e5c7a1cb463c836c047232783a23f

Download Submit
memory/760-56-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1104-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads