vjw0rm | 941e953be533b065e079b5dc1480cb6cba4db8db25343d6ada935cf0b293e60e

General

Target

Purchase Order.js
Size

102KB
MD5

96ed923c16d7a86c7f70675e508fdb77
SHA1

6cc9cd0e2aee7833a9677c2db346778382d6a800
SHA256

941e953be533b065e079b5dc1480cb6cba4db8db25343d6ada935cf0b293e60e
SHA512

553118001a8a216285f6a1754a2b8adc7079028c10acb7c92ae9732aa7b687358246a4b41ca9ac69af8ab4f77b4d9595deb2ece0ac9ebdd9b6cff4a36083315e

Score

10^/10

vjw0rm persistence suricata trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 41 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
5	4752	wscript.exe
7	1868	wscript.exe
13	4752	wscript.exe
16	1868	wscript.exe
19	4752	wscript.exe
22	4752	wscript.exe
23	1868	wscript.exe
27	4752	wscript.exe
28	4752	wscript.exe
32	1868	wscript.exe
36	4752	wscript.exe
38	1868	wscript.exe
39	4752	wscript.exe
40	4752	wscript.exe
44	4752	wscript.exe
47	1868	wscript.exe
48	4752	wscript.exe
51	4752	wscript.exe
52	4752	wscript.exe
53	4752	wscript.exe
54	4752	wscript.exe
55	1868	wscript.exe
56	4752	wscript.exe
57	4752	wscript.exe
60	4752	wscript.exe
61	1868	wscript.exe
62	4752	wscript.exe
63	4752	wscript.exe
64	1868	wscript.exe
65	4752	wscript.exe
66	1868	wscript.exe
67	4752	wscript.exe
68	4752	wscript.exe
69	1868	wscript.exe
70	4752	wscript.exe
71	4752	wscript.exe
72	1868	wscript.exe
73	4752	wscript.exe
74	1868	wscript.exe
75	4752	wscript.exe
76	4752	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QleZiDKtJk.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QleZiDKtJk.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\QleZiDKtJk.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1524 wrote to memory of 1868	1524	wscript.exe	wscript.exe
PID 1524 wrote to memory of 1868	1524	wscript.exe	wscript.exe
PID 1524 wrote to memory of 4752	1524	wscript.exe	wscript.exe
PID 1524 wrote to memory of 4752	1524	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QleZiDKtJk.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1868
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\coco.vbs

Filesize
13KB

MD5
c654a6599cf8a2a114c82cf39890527e

SHA1
0fdd2f5ac577d5491cdad11e9ab9682eb29f2e3b

SHA256
cc7f0bb9d21b137fd799468d7e6823881134b5c18a2d48a24a69c5af3286bdcc

SHA512
dc954af78c3e4daaa53ee81cbab5b6831e95b6fa80e7fff56febf884389da5feb473207b0121a81d704755039ed3b8d3870f07620e5fc58161df1c82210bf357

Download Submit
C:\Users\Admin\AppData\Roaming\QleZiDKtJk.js

Filesize
28KB

MD5
e8908e1558ac022da33a07c8b5e8412d

SHA1
7c355f06b4e50fa9b85e9d312d7e3f3614b894cf

SHA256
57a54d7d2dfbaf1feb5dbf9599e4f393f1477dbf47bac32d35f90f13558cde1e

SHA512
a164bc999d45c84754b44783716bcca6a7266215b69cb8ca88f845d4d221c38ecf655979d3e2b4dba9ef7cadb445b11219a1ea0734bd244cec0974f4788cb640

Download Submit
memory/1868-130-0x0000000000000000-mapping.dmp

Download
memory/4752-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads