vjw0rm | abd35915269d9b7031f7a74be2827e2e5591734f41e0e0da9ea42f9654f79dfa

General

Target

Electroinc receipt #170622-HWRM-AMZN.js
Size

50KB
MD5

b4ff9e813c3c7f228605b07932bfbe86
SHA1

3ef44f9fec10cd94d2cd5c71799d79ef103a2e1a
SHA256

abd35915269d9b7031f7a74be2827e2e5591734f41e0e0da9ea42f9654f79dfa
SHA512

e3114ae026e9e540ecaaf3dcba1a2de23c017443dcfe874da57f2b04dcdd7d660ce6b81732665aecec717966932be3c7992ac27b42be803bdbb999a2308ba1ba

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 46 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
7	1092	wscript.exe
8	1108	wscript.exe
9	1108	wscript.exe
11	1092	wscript.exe
12	1108	wscript.exe
13	1108	wscript.exe
14	1092	wscript.exe
17	1108	wscript.exe
18	1108	wscript.exe
21	1092	wscript.exe
22	1108	wscript.exe
23	1108	wscript.exe
25	1092	wscript.exe
26	1108	wscript.exe
27	1108	wscript.exe
29	1092	wscript.exe
31	1108	wscript.exe
32	1108	wscript.exe
34	1092	wscript.exe
36	1108	wscript.exe
37	1108	wscript.exe
39	1092	wscript.exe
40	1108	wscript.exe
41	1108	wscript.exe
43	1092	wscript.exe
45	1108	wscript.exe
46	1108	wscript.exe
48	1092	wscript.exe
50	1108	wscript.exe
51	1108	wscript.exe
53	1092	wscript.exe
54	1108	wscript.exe
55	1108	wscript.exe
57	1092	wscript.exe
59	1108	wscript.exe
60	1108	wscript.exe
62	1092	wscript.exe
64	1108	wscript.exe
65	1108	wscript.exe
66	1092	wscript.exe
68	1108	wscript.exe
70	1092	wscript.exe
71	1108	wscript.exe
73	1108	wscript.exe
74	1092	wscript.exe
76	1108	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BypceJOrnQ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BypceJOrnQ.js	wscript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BypceJOrnQ.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 880 wrote to memory of 1092	880	wscript.exe	wscript.exe
PID 880 wrote to memory of 1092	880	wscript.exe	wscript.exe
PID 880 wrote to memory of 1092	880	wscript.exe	wscript.exe
PID 880 wrote to memory of 1716	880	wscript.exe	wscript.exe
PID 880 wrote to memory of 1716	880	wscript.exe	wscript.exe
PID 880 wrote to memory of 1716	880	wscript.exe	wscript.exe
PID 1716 wrote to memory of 1108	1716	wscript.exe	wscript.exe
PID 1716 wrote to memory of 1108	1716	wscript.exe	wscript.exe
PID 1716 wrote to memory of 1108	1716	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Electroinc receipt #170622-HWRM-AMZN.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BypceJOrnQ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1092

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\ProgramData\1.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.vbs
Filesize
13KB

MD5
b35e3e27a51c38b3c80edb236338dc8a

SHA1
1e696d13ade727030d8f0c921e4a603402ccce49

SHA256
d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f

SHA512
bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677

Download Submit
C:\Users\Admin\AppData\Roaming\1.vbs
Filesize
13KB

MD5
b35e3e27a51c38b3c80edb236338dc8a

SHA1
1e696d13ade727030d8f0c921e4a603402ccce49

SHA256
d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f

SHA512
bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677

Download Submit
C:\Users\Admin\AppData\Roaming\BypceJOrnQ.js
Filesize
10KB

MD5
caeb0950a5e4b8e6ba5afb1933670778

SHA1
21e5ab00fc5c624b37c6253003bfb308b97a5b64

SHA256
bf5afb70af5a7a469a630131da230dbbb2aa14107d6052d84e94dc12640ca0ed

SHA512
392b44a6ddd35ff898261360a82ae3d5ad9b2456618024e92e87ddb648b6fd91dbacaaff8cd14b14332a8df87cb2018c579169cd945562ea83cae2e7089d361e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs
Filesize
13KB

MD5
b35e3e27a51c38b3c80edb236338dc8a

SHA1
1e696d13ade727030d8f0c921e4a603402ccce49

SHA256
d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f

SHA512
bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677

Download Submit
memory/880-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1092-55-0x0000000000000000-mapping.dmp

Download
memory/1108-60-0x0000000000000000-mapping.dmp

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads