vjw0rm | d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09

General

Target

ORDER SPECIFICATION.js
Size

81KB
MD5

8c577d950786e8262f22dd3c23ca8c07
SHA1

a933a3f7da664089ab715ee06ca9fdf17d9ef318
SHA256

d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09
SHA512

21217ecf4c1f0aba4c72e3a7cb1d49643d506aed4ca59753e052090c4df2d8f2f607c46d7a2b95802f1686f48d45e8ca9fd0cd851ce66ecf6ce88b17db4d7c40

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 12 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
2	3936	wscript.exe
7	3844	wscript.exe
17	3844	wscript.exe
30	3844	wscript.exe
47	3844	wscript.exe
48	3844	wscript.exe
56	3844	wscript.exe
59	3844	wscript.exe
60	3844	wscript.exe
64	3844	wscript.exe
65	3844	wscript.exe
66	3844	wscript.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

QB8Dp5m5pHF6fkB.exe

pid process

4484 QB8Dp5m5pHF6fkB.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeQB8Dp5m5pHF6fkB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	QB8Dp5m5pHF6fkB.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SdORAbNrxc.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SdORAbNrxc.js	wscript.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SdORAbNrxc.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2780 schtasks.exe

pid	process
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

QB8Dp5m5pHF6fkB.exepowershell.exe

pid	process
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4484	QB8Dp5m5pHF6fkB.exe
4948	powershell.exe
4948	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QB8Dp5m5pHF6fkB.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4484 QB8Dp5m5pHF6fkB.exe
Token: SeDebugPrivilege 4948 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4484	QB8Dp5m5pHF6fkB.exe
Token: SeDebugPrivilege	4948	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

wscript.exeQB8Dp5m5pHF6fkB.exe

description	pid	process	target process
PID 3936 wrote to memory of 3844	3936	wscript.exe	wscript.exe
PID 3936 wrote to memory of 3844	3936	wscript.exe	wscript.exe
PID 3936 wrote to memory of 4484	3936	wscript.exe	QB8Dp5m5pHF6fkB.exe
PID 3936 wrote to memory of 4484	3936	wscript.exe	QB8Dp5m5pHF6fkB.exe
PID 3936 wrote to memory of 4484	3936	wscript.exe	QB8Dp5m5pHF6fkB.exe
PID 4484 wrote to memory of 4948	4484	QB8Dp5m5pHF6fkB.exe	powershell.exe
PID 4484 wrote to memory of 4948	4484	QB8Dp5m5pHF6fkB.exe	powershell.exe
PID 4484 wrote to memory of 4948	4484	QB8Dp5m5pHF6fkB.exe	powershell.exe
PID 4484 wrote to memory of 2780	4484	QB8Dp5m5pHF6fkB.exe	schtasks.exe
PID 4484 wrote to memory of 2780	4484	QB8Dp5m5pHF6fkB.exe	schtasks.exe
PID 4484 wrote to memory of 2780	4484	QB8Dp5m5pHF6fkB.exe	schtasks.exe
PID 4484 wrote to memory of 4344	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4344	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4344	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 3244	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 3244	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 3244	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4560	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4560	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4560	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4548	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4548	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4548	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4476	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4476	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe
PID 4484 wrote to memory of 4476	4484	QB8Dp5m5pHF6fkB.exe	vbc.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER SPECIFICATION.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SdORAbNrxc.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3844
- C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe
  "C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HSzaYH.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HSzaYH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E41.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3E41.tmp

Filesize
1KB

MD5
5ee13161718efdf950a80e50487c4483

SHA1
d8bd3891a0d97eb63d6a23ea8abce727cfc0b283

SHA256
bdf499f00b9360743a46e29c25bedceb6a9cdad55d9df338522127d777d7f57a

SHA512
d85bb08249c61c08d6d4429f5c5ac15973c3c8996480db4a08fb88757f55c2c1416be715f289cb69df3929f0b434d5cd4e8795dfd2d73135b75c94682cc20cec

Download Submit
C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe

Filesize
549KB

MD5
01da8ba876eb4038213d8eb6493c9947

SHA1
c05eb1a5b5bf52bc05bece7e2bb65e8281828e5f

SHA256
a4c6f718bffae66def8dc2d48d844bf90632cc708ffdc6363f2aa3021d1a6f60

SHA512
dec4b9ddd63fc6769ffd9a4858f9c27cce2d56e3a0ea9af7dc48ff13d04ecedaa44948329c9299a962e01c97ef455fa266eb6857e7af5868db5d354397efebaa

Download Submit
C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe

Filesize
549KB

MD5
01da8ba876eb4038213d8eb6493c9947

SHA1
c05eb1a5b5bf52bc05bece7e2bb65e8281828e5f

SHA256
a4c6f718bffae66def8dc2d48d844bf90632cc708ffdc6363f2aa3021d1a6f60

SHA512
dec4b9ddd63fc6769ffd9a4858f9c27cce2d56e3a0ea9af7dc48ff13d04ecedaa44948329c9299a962e01c97ef455fa266eb6857e7af5868db5d354397efebaa

Download Submit
C:\Users\Admin\AppData\Roaming\SdORAbNrxc.js

Filesize
30KB

MD5
ce7c8bc0e2587dcc7044d337fda0320f

SHA1
6e4e6d39752ca7a454f7081210402e7bb1bd52d4

SHA256
7d70fd9144c686fe6ff23fe66e44ccbb55827b2af1a91ca60b10ef1631f0c067

SHA512
e395ba15f19051811d1ba5220bf2f326041a95c245f0faf47ca8b416953bdfda8e16e7fd132ff439637f5e3372c4ae1fe4baff26b6e6c7ba545077b3ffb48f28

Download Submit
memory/2780-142-0x0000000000000000-mapping.dmp

Download
memory/3244-147-0x0000000000000000-mapping.dmp

Download
memory/3844-130-0x0000000000000000-mapping.dmp

Download
memory/4344-146-0x0000000000000000-mapping.dmp

Download
memory/4476-150-0x0000000000000000-mapping.dmp

Download
memory/4484-138-0x0000000005B70000-0x0000000005B7A000-memory.dmp

Filesize
40KB

Download
memory/4484-140-0x00000000099A0000-0x0000000009A3C000-memory.dmp

Filesize
624KB

Download
memory/4484-139-0x0000000006480000-0x0000000006626000-memory.dmp

Filesize
1.6MB

Download
memory/4484-132-0x0000000000000000-mapping.dmp

Download
memory/4484-137-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/4484-135-0x0000000000F90000-0x000000000101E000-memory.dmp

Filesize
568KB

Download
memory/4484-136-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/4548-149-0x0000000000000000-mapping.dmp

Download
memory/4560-148-0x0000000000000000-mapping.dmp

Download
memory/4948-152-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4948-157-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/4948-143-0x0000000004BE0000-0x0000000004C16000-memory.dmp

Filesize
216KB

Download
memory/4948-151-0x0000000005A00000-0x0000000005A22000-memory.dmp

Filesize
136KB

Download
memory/4948-141-0x0000000000000000-mapping.dmp

Download
memory/4948-153-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/4948-154-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/4948-155-0x0000000006760000-0x0000000006792000-memory.dmp

Filesize
200KB

Download
memory/4948-156-0x0000000072720000-0x000000007276C000-memory.dmp

Filesize
304KB

Download
memory/4948-145-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/4948-158-0x0000000007AE0000-0x000000000815A000-memory.dmp

Filesize
6.5MB

Download
memory/4948-159-0x00000000074A0000-0x00000000074BA000-memory.dmp

Filesize
104KB

Download
memory/4948-160-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/4948-161-0x0000000007720000-0x00000000077B6000-memory.dmp

Filesize
600KB

Download
memory/4948-162-0x00000000076D0000-0x00000000076DE000-memory.dmp

Filesize
56KB

Download
memory/4948-163-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/4948-164-0x00000000077C0000-0x00000000077C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads