vjw0rm | 6e5e0e9f651300eb398ab45b10aa881ce9218088fb6a48c0e381be206c44b7b4

General

Target

Electronic receipt #AMZ-HWRM-1605160622.js
Size

127KB
MD5

9279ce6d838dae04a670dd9414db00eb
SHA1

960f79f13370c8bbaafed34d188cec956abb9cf5
SHA256

6e5e0e9f651300eb398ab45b10aa881ce9218088fb6a48c0e381be206c44b7b4
SHA512

55cf16a3024f5c60d4374fa05f22e7f00f93c011e7a1dda180a2805768cfcb6bd12f52d303e7616e46de3e0bd14a238b83940b1393ed91b44787da0e4b3e8485

Score

10^/10

vjw0rm persistence suricata trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 42 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
6	1748	wscript.exe
7	700	wscript.exe
8	700	wscript.exe
10	1748	wscript.exe
11	700	wscript.exe
12	700	wscript.exe
13	1748	wscript.exe
16	700	wscript.exe
18	1748	wscript.exe
19	700	wscript.exe
21	700	wscript.exe
22	1748	wscript.exe
24	700	wscript.exe
26	1748	wscript.exe
27	700	wscript.exe
29	700	wscript.exe
31	1748	wscript.exe
32	700	wscript.exe
33	700	wscript.exe
35	1748	wscript.exe
36	700	wscript.exe
37	1748	wscript.exe
39	700	wscript.exe
41	700	wscript.exe
43	1748	wscript.exe
44	700	wscript.exe
45	700	wscript.exe
47	1748	wscript.exe
48	700	wscript.exe
49	1748	wscript.exe
51	700	wscript.exe
53	700	wscript.exe
55	1748	wscript.exe
56	700	wscript.exe
58	1748	wscript.exe
59	700	wscript.exe
60	700	wscript.exe
62	1748	wscript.exe
64	700	wscript.exe
65	700	wscript.exe
66	1748	wscript.exe
68	700	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrqblJSZkU.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrqblJSZkU.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	wscript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\qrqblJSZkU.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1964 wrote to memory of 1748	1964	wscript.exe	wscript.exe
PID 1964 wrote to memory of 1748	1964	wscript.exe	wscript.exe
PID 1964 wrote to memory of 1748	1964	wscript.exe	wscript.exe
PID 1964 wrote to memory of 1768	1964	wscript.exe	wscript.exe
PID 1964 wrote to memory of 1768	1964	wscript.exe	wscript.exe
PID 1964 wrote to memory of 1768	1964	wscript.exe	wscript.exe
PID 1768 wrote to memory of 700	1768	wscript.exe	wscript.exe
PID 1768 wrote to memory of 700	1768	wscript.exe	wscript.exe
PID 1768 wrote to memory of 700	1768	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Electronic receipt #AMZ-HWRM-1605160622.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qrqblJSZkU.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1748

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\ProgramData\1.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.vbs
Filesize
13KB

MD5
b35e3e27a51c38b3c80edb236338dc8a

SHA1
1e696d13ade727030d8f0c921e4a603402ccce49

SHA256
d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f

SHA512
bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677

Download Submit
C:\Users\Admin\AppData\Roaming\1.vbs
Filesize
13KB

MD5
b35e3e27a51c38b3c80edb236338dc8a

SHA1
1e696d13ade727030d8f0c921e4a603402ccce49

SHA256
d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f

SHA512
bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs
Filesize
13KB

MD5
b35e3e27a51c38b3c80edb236338dc8a

SHA1
1e696d13ade727030d8f0c921e4a603402ccce49

SHA256
d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f

SHA512
bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677

Download Submit
C:\Users\Admin\AppData\Roaming\qrqblJSZkU.js
Filesize
37KB

MD5
806dc77d323a5ca00b11c27b757861f1

SHA1
cf39f5d773ed14dfcaa6e09e1f759917ff8eccb2

SHA256
0f7e286a25499a4bce0347ea338f6521212392bba9c539c5ca3608ac032914c0

SHA512
1dbc545c230917e5d70c990ec0dc007ddb8867ee1da9d0a719e22f5c5a50c763cb3cf567518e7cee5e3e34aaa86a31dfb2b928f492e2a7a36e35b374e540e927

Download Submit
memory/700-61-0x0000000000000000-mapping.dmp

Download
memory/1748-55-0x0000000000000000-mapping.dmp

Download
memory/1768-57-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads