vjw0rm | 7b3187751d1b85e101baf35c73d93c77006cf7a6729ba1b57a702884a0a5c17d

General

Target

Maersk Sets Documents.js
Size

47KB
MD5

3391e6b60c013e63bb73c91cd77ea05b
SHA1

8e7197b5dc1c99d6579f0a002aa7a4e0fa16de8a
SHA256

7b3187751d1b85e101baf35c73d93c77006cf7a6729ba1b57a702884a0a5c17d
SHA512

c025c5f85219083aabe69474fbbf1415d445fa27c8c19640ccf971be3178741fcc8623f114008c99005a36e4848950fd8a11515bf2f31f79a3168ee3bb95fb33

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 20 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
10	4772	wscript.exe
11	3168	wscript.exe
25	4772	wscript.exe
33	3168	wscript.exe
36	4772	wscript.exe
50	3168	wscript.exe
52	3168	wscript.exe
55	4772	wscript.exe
60	4772	wscript.exe
62	4772	wscript.exe
64	3168	wscript.exe
67	3168	wscript.exe
68	4772	wscript.exe
71	3168	wscript.exe
72	4772	wscript.exe
75	4772	wscript.exe
76	3168	wscript.exe
78	3168	wscript.exe
81	4772	wscript.exe
82	3168	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\quFMSWkFxm.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4348 wrote to memory of 4772	4348	wscript.exe	wscript.exe
PID 4348 wrote to memory of 4772	4348	wscript.exe	wscript.exe
PID 4348 wrote to memory of 3168	4348	wscript.exe	wscript.exe
PID 4348 wrote to memory of 3168	4348	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Maersk Sets Documents.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\quFMSWkFxm.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4772

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.vbs

Filesize
13KB

MD5
fcab27f1e1e9316c441368eb38fea59c

SHA1
37e0c7c153b5983cb175a1bcfbe2fc7960606568

SHA256
7a535dd7f5f8dc5193c7184ea0278f862e06485c369821747af71b174000fdb6

SHA512
ed83503d8af7abf3f342719539f6f305a9fc34d45b4fe7c5dcfd68855dc76e76fe5cbed111303d3f7c1e4171cef779ace81d2e0d810ef02dd0b7c8ec6955894c

Download Submit
C:\Users\Admin\AppData\Roaming\quFMSWkFxm.js

Filesize
9KB

MD5
c16ce4cee2d0306bfdb474bcd0dac7d2

SHA1
a006c5c9b53faa68e7fee669b9b1526d8e36e36f

SHA256
c70607ee78ed62e79ac29ecc0218f77bc6800b0ff03c807d6c10d869b46a3c5e

SHA512
e3290deb093c90b42225a31fc21cdddcdab65206f7ae19910ca264c36125b91bf027baa6b22dfaab893c169e0b59e2432e4aa9f58e59c947f97ba882b036b19f

Download Submit
memory/3168-131-0x0000000000000000-mapping.dmp

Download
memory/4772-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads