vjw0rm | 8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8

General

Target

0123987INMWN2987.js
Size

297KB
MD5

ee4b83dc3501b10be35a258a19b6251f
SHA1

8a8036bdfbf85a9c08a713a4e94c6afdda02d4a4
SHA256

8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8
SHA512

54dd330f4e0dcc779a8fd4f1950270fdab281e50be170af1fb56c5b98f7d561caa18d5cdf485ccbe196aa771f2784287c12dc2891d7fa1aed3055a330cdccf49

Score

10^/10

vjw0rm warzonerat infostealer persistence rat trojan worm

Malware Config

Extracted

Family

warzonerat

C2

blessed147.ddns.net:8472

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
6	4672	wscript.exe
16	4672	wscript.exe
23	4672	wscript.exe
32	4672	wscript.exe
35	4672	wscript.exe
39	4672	wscript.exe
42	4672	wscript.exe
44	4672	wscript.exe
47	4672	wscript.exe
48	4672	wscript.exe
50	4672	wscript.exe
51	4672	wscript.exe
52	4672	wscript.exe
53	4672	wscript.exe
54	4672	wscript.exe
57	4672	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

test.exeimages.exe

pid process

4932 test.exe
4980 images.exe

pid	process
4932	test.exe
4980	images.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbOVhPXRrj.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbOVhPXRrj.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PbOVhPXRrj.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wscript.exetest.exe

description	pid	process	target process
PID 4028 wrote to memory of 4672	4028	wscript.exe	wscript.exe
PID 4028 wrote to memory of 4672	4028	wscript.exe	wscript.exe
PID 4028 wrote to memory of 4932	4028	wscript.exe	test.exe
PID 4028 wrote to memory of 4932	4028	wscript.exe	test.exe
PID 4028 wrote to memory of 4932	4028	wscript.exe	test.exe
PID 4932 wrote to memory of 4980	4932	test.exe	images.exe
PID 4932 wrote to memory of 4980	4932	test.exe	images.exe
PID 4932 wrote to memory of 4980	4932	test.exe	images.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0123987INMWN2987.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PbOVhPXRrj.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4672

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
152KB

MD5
a1f762b0387032ffb2354bb07e5fb203

SHA1
e12a2e66d5fef8bb2fd42e5292e2d358dec5a433

SHA256
fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd

SHA512
f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08

Download Submit
C:\ProgramData\images.exe
Filesize
152KB

MD5
a1f762b0387032ffb2354bb07e5fb203

SHA1
e12a2e66d5fef8bb2fd42e5292e2d358dec5a433

SHA256
fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd

SHA512
f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
152KB

MD5
a1f762b0387032ffb2354bb07e5fb203

SHA1
e12a2e66d5fef8bb2fd42e5292e2d358dec5a433

SHA256
fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd

SHA512
f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
152KB

MD5
a1f762b0387032ffb2354bb07e5fb203

SHA1
e12a2e66d5fef8bb2fd42e5292e2d358dec5a433

SHA256
fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd

SHA512
f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08

Download Submit
C:\Users\Admin\AppData\Roaming\PbOVhPXRrj.js
Filesize
10KB

MD5
c822db80563ebedaa46103197f39fd8d

SHA1
a893027e0c0eff56b264180ecf4479aa603f012e

SHA256
b9a6487159fc63bb98c02afdb35737e88e07ec53d1ab3395604fe853288174d1

SHA512
0daa19feb16d2549dd7cd84f337ad045b12b790adf5a427a9dd57dde45d2c8b25ff7530fe832ae2e0565476371300407b95b497359aebe7e4e8686530637ccba

Download Submit
memory/4672-130-0x0000000000000000-mapping.dmp

Download
memory/4932-132-0x0000000000000000-mapping.dmp

Download
memory/4980-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads