vjw0rm | b908d37c8fd6804048f23376159e0610b48b0bc3dda2ba4876d69da4fbed4d77

General

Target

New_Order.js
Size

121KB
MD5

10618f9206270556b21eed02cff7efb6
SHA1

997c8dcde0cbc67164212dc9091e2971620511a9
SHA256

b908d37c8fd6804048f23376159e0610b48b0bc3dda2ba4876d69da4fbed4d77
SHA512

de363de443370113bb2d41249d707321dd066cbd15b4f17589924a255815a9618d2ee8cc617b85d8103415b60654c89546f549efb7283d984714571cdea56f22

Score

10^/10

vjw0rm persistence suricata trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://franmhort.duia.ro:8152

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 20 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
1	508	wscript.exe
3	856	wscript.exe
4	856	wscript.exe
6	856	wscript.exe
7	856	wscript.exe
8	856	wscript.exe
10	856	wscript.exe
12	856	wscript.exe
15	856	wscript.exe
16	856	wscript.exe
17	856	wscript.exe
18	856	wscript.exe
19	856	wscript.exe
20	856	wscript.exe
21	856	wscript.exe
22	856	wscript.exe
23	856	wscript.exe
24	856	wscript.exe
25	856	wscript.exe
26	856	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\worm.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\worm.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwxPBwaFdb.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwxPBwaFdb.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\bwxPBwaFdb.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows\CurrentVersion\Run\worm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\worm.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\worm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\worm.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1364 wrote to memory of 856	1364	wscript.exe	wscript.exe
PID 1364 wrote to memory of 856	1364	wscript.exe	wscript.exe
PID 1364 wrote to memory of 508	1364	wscript.exe	wscript.exe
PID 1364 wrote to memory of 508	1364	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\New_Order.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bwxPBwaFdb.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:856

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\worm.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\worm.vbs

Filesize
13KB

MD5
d97570618f71f6ff84062c1428f22664

SHA1
da9f9ef6ca4d924c148d6ef993840f69823ac553

SHA256
21313a96bd08053c737748c102862967f441e6701991a6b7eb9191dd8c8b620e

SHA512
719804e51ce625b5c08e1f7c6163b7d9ab3d14f11b2e65f56f6adbcb4f68ae8d29a59fee0b4ce333b84cea73145737661d61b07c7c2f14afdab05b9049aef2c2

Download Submit
C:\Users\Admin\AppData\Roaming\bwxPBwaFdb.js

Filesize
35KB

MD5
09da663351d4d40aa0e75a6d9f2ed64a

SHA1
d8b4b988299a6cf733cf746f46eb929ff793a240

SHA256
0262523625912873b380663f40f59440fc83ac98ddf8fbbaf509abee0df5f9f7

SHA512
0e085203cef62bcf00e0a562e078793b5cdeea4099543d8fcc46ef14e29d6f63f6604a136718364083f995d65f5650ae3b0493ffbeb595e248e62dbd544b0a68

Download Submit
memory/508-115-0x0000000000000000-mapping.dmp

Download
memory/856-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads