vjw0rm | e91179038282c60446a1ee4d18a912e86330967f3f240e79f51f64d62242ebb4

General

Target

receipt_ups.js
Size

21KB
MD5

e5accbf0fdf8de4b03dd0b5ee218ba39
SHA1

0e185de4af2610f71c23a01620c49c289c63ca76
SHA256

e91179038282c60446a1ee4d18a912e86330967f3f240e79f51f64d62242ebb4
SHA512

c3d9f1e2a3f493db1ca97ee673a3325a0d4c5092ce225c3e4fd035c5258b5229aab05ddab9607e90892bd83dc394d48c7a14f75af254d4ddd25d24dc12432374

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 36 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	540	wscript.exe
9	760	wscript.exe
10	540	wscript.exe
12	760	wscript.exe
13	540	wscript.exe
15	760	wscript.exe
18	540	wscript.exe
19	760	wscript.exe
21	540	wscript.exe
22	760	wscript.exe
24	540	wscript.exe
26	760	wscript.exe
29	540	wscript.exe
30	760	wscript.exe
32	540	wscript.exe
34	760	wscript.exe
35	540	wscript.exe
38	760	wscript.exe
40	540	wscript.exe
41	760	wscript.exe
43	540	wscript.exe
45	760	wscript.exe
46	540	wscript.exe
49	760	wscript.exe
51	540	wscript.exe
52	760	wscript.exe
54	540	wscript.exe
55	760	wscript.exe
57	540	wscript.exe
60	760	wscript.exe
62	540	wscript.exe
64	760	wscript.exe
65	540	wscript.exe
67	760	wscript.exe
68	540	wscript.exe
71	760	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt_ups.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVsmyXmoXx.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVsmyXmoXx.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ZVsmyXmoXx.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\RV7KJCEOJC = "\"C:\\Users\\Admin\\AppData\\Roaming\\receipt_ups.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

992 schtasks.exe

pid	process
992	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 540 wrote to memory of 760	540	wscript.exe	wscript.exe
PID 540 wrote to memory of 760	540	wscript.exe	wscript.exe
PID 540 wrote to memory of 760	540	wscript.exe	wscript.exe
PID 540 wrote to memory of 992	540	wscript.exe	schtasks.exe
PID 540 wrote to memory of 992	540	wscript.exe	schtasks.exe
PID 540 wrote to memory of 992	540	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt_ups.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVsmyXmoXx.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:760

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\receipt_ups.js
2⤵
- Creates scheduled task(s)
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZVsmyXmoXx.js
MD5
696ed74097cf5b8f79aef9af9afaef73

SHA1
3e0bbc1b5134ae4035b4811d5554aff7fc264c30

SHA256
582e487ef7cbc0f3559aa71b5524b3c29116e087f43d2afdbaa46d1ecef68edd

SHA512
6a46ba4d13c95a9d0b8f226d0e052f15eb20e3303577df7f197e9f03b63b3abd0c1dad6adffe27445591f5879feafc9a9f58a4465d345ed2405cbfa1d76e8461

Download Submit
memory/760-54-0x0000000000000000-mapping.dmp

Download
memory/992-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads