vjw0rm | f56acd43442adc78877403cc38f8a9b49e356b12c59d1eb994fcd33f44313899

General

Target

factura 1-000103.js
Size

279KB
MD5

ccb741ce0a1cc6dc191080bc2daf6367
SHA1

7c84f832c779ff31848321e876460ee97f2dc7cd
SHA256

f56acd43442adc78877403cc38f8a9b49e356b12c59d1eb994fcd33f44313899
SHA512

25e29cc884b0177264add07c13dc8693ff1e5e328c535f21ed8ba2c71f5594a3d208f5a8f3cf255bb18da4f63ce3191b46e4367d09c3cf55884a803c327b62f2

Score

10^/10

vjw0rm warzonerat infostealer persistence rat suricata trojan worm

Malware Config

Extracted

Family

warzonerat

C2

91.207.57.115:5079

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Bin.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Bin.exe	warzonerat

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
4	628	wscript.exe
5	628	wscript.exe
6	628	wscript.exe
8	628	wscript.exe
10	628	wscript.exe
12	628	wscript.exe
14	628	wscript.exe
15	628	wscript.exe
16	628	wscript.exe
18	628	wscript.exe
19	628	wscript.exe
20	628	wscript.exe
22	628	wscript.exe
23	628	wscript.exe
24	628	wscript.exe
26	628	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

Bin.exe

pid process

1264 Bin.exe

pid	process
1264	Bin.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOjRaFkJSA.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOjRaFkJSA.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\VOjRaFkJSA.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1520 wrote to memory of 628	1520	wscript.exe	wscript.exe
PID 1520 wrote to memory of 628	1520	wscript.exe	wscript.exe
PID 1520 wrote to memory of 628	1520	wscript.exe	wscript.exe
PID 1520 wrote to memory of 1264	1520	wscript.exe	Bin.exe
PID 1520 wrote to memory of 1264	1520	wscript.exe	Bin.exe
PID 1520 wrote to memory of 1264	1520	wscript.exe	Bin.exe
PID 1520 wrote to memory of 1264	1520	wscript.exe	Bin.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\factura 1-000103.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VOjRaFkJSA.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:628

C:\Users\Admin\AppData\Local\Temp\Bin.exe
"C:\Users\Admin\AppData\Local\Temp\Bin.exe"
2⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bin.exe

Filesize
113KB

MD5
97e9aa4163328831289431799b77771f

SHA1
2106d49061ee6294a747eb170f427be178c66110

SHA256
ddfbb56d086edd4488b4ff7eaeecec812b0c713d5654084a67a39a037307c721

SHA512
53d1befaa744379ded37cd3b02f6bad8dac63990ec98386139c92ec0cb119ada87561aa3e729345dd56fb24a67a19f91dd59aae4444ee93a08df7c2d90cdaaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bin.exe

Filesize
113KB

MD5
97e9aa4163328831289431799b77771f

SHA1
2106d49061ee6294a747eb170f427be178c66110

SHA256
ddfbb56d086edd4488b4ff7eaeecec812b0c713d5654084a67a39a037307c721

SHA512
53d1befaa744379ded37cd3b02f6bad8dac63990ec98386139c92ec0cb119ada87561aa3e729345dd56fb24a67a19f91dd59aae4444ee93a08df7c2d90cdaaaa

Download Submit
C:\Users\Admin\AppData\Roaming\VOjRaFkJSA.js

Filesize
27KB

MD5
75ca0c2ff176da82a10851cd02120ece

SHA1
cda54cd675887109e164d512cd2a9278011f3e69

SHA256
37dcf1f84e002f1ca2857662276e9f5c21415a77a296493541165a05e5213d74

SHA512
a764e19800fc86e0c07fecb877e1681377f6d4bc47ccf08f21546db42b776f365b0ec79d5a6f239c60f0c43e3027c0a1f4d28557dca857ff6a56dd013a3d4e86

Download Submit
memory/628-55-0x0000000000000000-mapping.dmp

Download
memory/1264-57-0x0000000000000000-mapping.dmp

Download
memory/1264-59-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1520-54-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads