vjw0rm | 925d5dec4f50c6ce6eb8bd56a51cdb123e8639f282292e3ed1b6cdd4f37e504b

General

Target

Quotation.js
Size

1.3MB
MD5

69c06fd94a073383b9435c801ebb62eb
SHA1

0fae62beac98d2806118a831eb0eca04bf351b65
SHA256

925d5dec4f50c6ce6eb8bd56a51cdb123e8639f282292e3ed1b6cdd4f37e504b
SHA512

e24e74c11f78a6c8f27c4ba5279ca5012577a493966f883ab5c2481e88a657ad0f50ff05cef37eebd4e1e888a797d7038398b520577174cc51bd909b54eedd31

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 832 WScript.exe
8 832 WScript.exe
15 832 WScript.exe

flow	pid	process
5	832	WScript.exe
8	832	WScript.exe
15	832	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jZWRVkiZOm.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jZWRVkiZOm.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\jZWRVkiZOm.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1996 wrote to memory of 832	1996	wscript.exe	WScript.exe
PID 1996 wrote to memory of 832	1996	wscript.exe	WScript.exe
PID 1996 wrote to memory of 832	1996	wscript.exe	WScript.exe
PID 1996 wrote to memory of 632	1996	wscript.exe	javaw.exe
PID 1996 wrote to memory of 632	1996	wscript.exe	javaw.exe
PID 1996 wrote to memory of 632	1996	wscript.exe	javaw.exe
PID 632 wrote to memory of 1192	632	javaw.exe	java.exe
PID 632 wrote to memory of 1192	632	javaw.exe	java.exe
PID 632 wrote to memory of 1192	632	javaw.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quotation.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\jZWRVkiZOm.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:832

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wnnyjeihnq.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\wnnyjeihnq.txt"
3⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jZWRVkiZOm.js
MD5
400d402ce0dc1bbd5cea36de09b25379

SHA1
e6a5f40cbf010f440922612eb469a0a0a2f8e7c7

SHA256
48afd1b8a96cf82de1dd7d4533fdabcd66edf957f354902a999f3b23a823958b

SHA512
13f0b3cffb22ca53e8a0f8e41d81a808f030b355f05fca37d34e4ba1fd5d54a41ad2e520ba5d0fdf058cc2653e61a31304d2d736de0b838cb735194a320ab595

Download Submit
C:\Users\Admin\AppData\Roaming\wnnyjeihnq.txt
MD5
391907cc91179ada8c93dfb70cf2fa56

SHA1
da55acbf6aafe2f376bf4ebd3ff8fbf99cf4966d

SHA256
20ad6197b8d0b6b2764f90ef38bace3e230cb2878db9a30778db0e4ef042a039

SHA512
931c419c6fff67cc0973eaa67c771aafa573ad5875b1db93ed4ec52e1f20f7e567a0f7c44d916de1d8e77407fe83eb2418fc9c0ba457bd05ef1f742bc4ed0afc

Download Submit
C:\Users\Admin\wnnyjeihnq.txt
MD5
391907cc91179ada8c93dfb70cf2fa56

SHA1
da55acbf6aafe2f376bf4ebd3ff8fbf99cf4966d

SHA256
20ad6197b8d0b6b2764f90ef38bace3e230cb2878db9a30778db0e4ef042a039

SHA512
931c419c6fff67cc0973eaa67c771aafa573ad5875b1db93ed4ec52e1f20f7e567a0f7c44d916de1d8e77407fe83eb2418fc9c0ba457bd05ef1f742bc4ed0afc

Download Submit
memory/632-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/632-59-0x0000000002160000-0x0000000005160000-memory.dmp

Filesize
48.0MB

Download
memory/632-62-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/632-64-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/632-87-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/632-90-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/632-121-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads