vjw0rm | 5382fee9aa7bef18d245bd37a9f93feb2671e6dd4b76fdaf90623c2438d22d71

General

Target

PO 062022.js
Size

106KB
MD5

6b40bc20c20e427d9f3eff75a199e5c2
SHA1

eeeba7f94c0c71545dc1a412181bbf59ab3816a3
SHA256

5382fee9aa7bef18d245bd37a9f93feb2671e6dd4b76fdaf90623c2438d22d71
SHA512

c1642890fefb1f65481b4144bce53cf9b51b2cf7834bce3dc9bfbfbe496d56111861014375e6a59cd4d3741e64039f30085abce33a3ccc0d2d1253e203eeb9d2

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 20 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
6	912	wscript.exe
7	1768	wscript.exe
15	912	wscript.exe
21	912	wscript.exe
23	1768	wscript.exe
30	912	wscript.exe
34	912	wscript.exe
48	1768	wscript.exe
52	912	wscript.exe
59	912	wscript.exe
60	1768	wscript.exe
61	912	wscript.exe
78	912	wscript.exe
79	912	wscript.exe
80	1768	wscript.exe
81	912	wscript.exe
88	912	wscript.exe
89	1768	wscript.exe
90	912	wscript.exe
91	912	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw file.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw file.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuRAviYxIE.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuRAviYxIE.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raw file = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\raw file.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raw file = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\raw file.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\tuRAviYxIE.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2912 wrote to memory of 912	2912	wscript.exe	wscript.exe
PID 2912 wrote to memory of 912	2912	wscript.exe	wscript.exe
PID 2912 wrote to memory of 1768	2912	wscript.exe	wscript.exe
PID 2912 wrote to memory of 1768	2912	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO 062022.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tuRAviYxIE.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:912

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\raw file.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\raw file.vbs
Filesize
13KB

MD5
f0112f7f776f1ca4af78430a2d61922e

SHA1
cae4289f99fa422619c07acada55933a11947386

SHA256
e3e4ac1927f81001d587f36f402db771265abe51e9b78ff3335e3882b2f336fb

SHA512
2fe9eee2df3c5c040a13df5bd3bc6b04c1f64665cea2bc8ded6bae6671943c282bdfd1faa201429009ece05acb1e92d4058326898a160fef0e972662200df0ac

Download Submit
C:\Users\Admin\AppData\Roaming\tuRAviYxIE.js
Filesize
30KB

MD5
b787d5ed468e32e92071c74167b45174

SHA1
0adaac7768738778fc95c44d56d9d9ebc6be7fb7

SHA256
8d5e763e5db83aa3d7cdb03a0973f95617626ddfb218cecfc9b12dc6fc097184

SHA512
6d71a511d355a4897874ab4360c2be862e2c17c04e0ce7129ce6ecf2160d179a26bdcaf82d09ec074dd9fca0031a3ce717351632b06d502ce3015b9844c89ae2

Download Submit
memory/912-130-0x0000000000000000-mapping.dmp

Download
memory/1768-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads