vjw0rm | 19c2b2552b72e578804e41f698eb760655ec2826fc42fe365eb1bd5b7e1ce38b

General

Target

Shipping Documents AWB#5305323204643.js
Size

429KB
MD5

f992d6aac0c0d0ea532d8128827c1492
SHA1

135f458e0f462fcd95a420af6e34169a0e66a3b7
SHA256

19c2b2552b72e578804e41f698eb760655ec2826fc42fe365eb1bd5b7e1ce38b
SHA512

eb59741e2f70d5aa019166ed940a92701526d7549f95ddb0ecfe656db55177d3c65dd6205a47c8b72aac3222f901d5f36a06567631cebf5eb8d44a48add46867

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
5	2376	wscript.exe
6	2376	wscript.exe
21	2376	wscript.exe
36	2376	wscript.exe
37	2376	wscript.exe
40	2376	wscript.exe
41	2376	wscript.exe
42	2376	wscript.exe
45	2376	wscript.exe
47	2376	wscript.exe
48	2376	wscript.exe
49	2376	wscript.exe
50	2376	wscript.exe
51	2376	wscript.exe
52	2376	wscript.exe
53	2376	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TplQiMdZSw.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TplQiMdZSw.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TplQiMdZSw.js\""	wscript.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4248 wrote to memory of 2376	4248	wscript.exe	wscript.exe
PID 4248 wrote to memory of 2376	4248	wscript.exe	wscript.exe
PID 4248 wrote to memory of 4796	4248	wscript.exe	java.exe
PID 4248 wrote to memory of 4796	4248	wscript.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Shipping Documents AWB#5305323204643.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TplQiMdZSw.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2376

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"
2⤵
- Drops file in Program Files directory
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SM.jar
Filesize
164KB

MD5
edf0e95033cb0df96be06c5088142288

SHA1
3972af92633203e7857ec0e4ae65246b32c83539

SHA256
9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

SHA512
b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

Download Submit
C:\Users\Admin\AppData\Roaming\TplQiMdZSw.js
Filesize
49KB

MD5
bdc987e24f3756203aba0bdad8f3f455

SHA1
f45575f65715623d255b8c3f403306ab8598b874

SHA256
deb124489dadb59b3c7a6afd7a6f774538935fb0968b04dd8ca6de104d2cc19b

SHA512
32ae2c2794ff4a5d662f013f946f1ef5ce0b489c171ed5991468ef82d011de952b78bb23a9428e3c2b96f140e1ece9cc81e308da698698b8dc18041bbd0a1805

Download Submit
memory/2376-133-0x0000000000000000-mapping.dmp

Download
memory/4796-135-0x0000000000000000-mapping.dmp

Download
memory/4796-141-0x0000000002E70000-0x0000000003E70000-memory.dmp

Filesize
16.0MB

Download
memory/4796-163-0x0000000002E70000-0x0000000003E70000-memory.dmp

Filesize
16.0MB

Download
memory/4796-164-0x0000000002E70000-0x0000000003E70000-memory.dmp

Filesize
16.0MB

Download
memory/4796-165-0x0000000002E70000-0x0000000003E70000-memory.dmp

Filesize
16.0MB

Download
memory/4796-166-0x0000000002E70000-0x0000000003E70000-memory.dmp

Filesize
16.0MB

Download
memory/4796-167-0x0000000002E70000-0x0000000003E70000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads