vjw0rm | 19c2b2552b72e578804e41f698eb760655ec2826fc42fe365eb1bd5b7e1ce38b

General

Target

Shipping Documents AWB#5305323204643.js
Size

429KB
MD5

f992d6aac0c0d0ea532d8128827c1492
SHA1

135f458e0f462fcd95a420af6e34169a0e66a3b7
SHA256

19c2b2552b72e578804e41f698eb760655ec2826fc42fe365eb1bd5b7e1ce38b
SHA512

eb59741e2f70d5aa019166ed940a92701526d7549f95ddb0ecfe656db55177d3c65dd6205a47c8b72aac3222f901d5f36a06567631cebf5eb8d44a48add46867

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
4	1556	wscript.exe
5	1556	wscript.exe
6	1556	wscript.exe
8	1556	wscript.exe
10	1556	wscript.exe
11	1556	wscript.exe
13	1556	wscript.exe
14	1556	wscript.exe
15	1556	wscript.exe
17	1556	wscript.exe
18	1556	wscript.exe
19	1556	wscript.exe
21	1556	wscript.exe
22	1556	wscript.exe
23	1556	wscript.exe
25	1556	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TplQiMdZSw.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TplQiMdZSw.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TplQiMdZSw.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1080 wrote to memory of 1556	1080	wscript.exe	wscript.exe
PID 1080 wrote to memory of 1556	1080	wscript.exe	wscript.exe
PID 1080 wrote to memory of 1556	1080	wscript.exe	wscript.exe
PID 1080 wrote to memory of 1392	1080	wscript.exe	java.exe
PID 1080 wrote to memory of 1392	1080	wscript.exe	java.exe
PID 1080 wrote to memory of 1392	1080	wscript.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Shipping Documents AWB#5305323204643.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TplQiMdZSw.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1556

C:\Windows\System32\java.exe
"C:\Windows\System32\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"
2⤵
PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SM.jar
Filesize
164KB

MD5
edf0e95033cb0df96be06c5088142288

SHA1
3972af92633203e7857ec0e4ae65246b32c83539

SHA256
9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

SHA512
b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

Download Submit
C:\Users\Admin\AppData\Roaming\TplQiMdZSw.js
Filesize
49KB

MD5
bdc987e24f3756203aba0bdad8f3f455

SHA1
f45575f65715623d255b8c3f403306ab8598b874

SHA256
deb124489dadb59b3c7a6afd7a6f774538935fb0968b04dd8ca6de104d2cc19b

SHA512
32ae2c2794ff4a5d662f013f946f1ef5ce0b489c171ed5991468ef82d011de952b78bb23a9428e3c2b96f140e1ece9cc81e308da698698b8dc18041bbd0a1805

Download Submit
memory/1080-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1392-57-0x0000000000000000-mapping.dmp

Download
memory/1392-70-0x0000000002190000-0x0000000005190000-memory.dmp

Filesize
48.0MB

Download
memory/1392-71-0x0000000002190000-0x0000000005190000-memory.dmp

Filesize
48.0MB

Download
memory/1556-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads