vjw0rm | 1e24a6a3246bd6d1af9c3a90880b4518afe0bbaa40f8f922138e1d3f8a4f02de

General

Target

Custom Clearance Doc. AWB#5305323204643.js
Size

616KB
MD5

33d87ba5f5667d83a06e8794e464e6e8
SHA1

b0b8207b5804987067391f6192b8c233dfccbae7
SHA256

1e24a6a3246bd6d1af9c3a90880b4518afe0bbaa40f8f922138e1d3f8a4f02de
SHA512

1ba63984598b1b6400e915dd026bd45e3d12553e7202c6577ca8f0d7f0e6215127ca3a4063a6256f18f956a5ee0f7580d9908084f191f6c8a94cf328fde07e88

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 11 IoCs

Processes:

wscript.exe

flow	pid	process
10	952	wscript.exe
14	952	wscript.exe
15	952	wscript.exe
17	952	wscript.exe
18	952	wscript.exe
19	952	wscript.exe
21	952	wscript.exe
22	952	wscript.exe
23	952	wscript.exe
25	952	wscript.exe
26	952	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LfLwlUUXXC.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LfLwlUUXXC.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\LfLwlUUXXC.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejava.exe

description	pid	process	target process
PID 1416 wrote to memory of 952	1416	wscript.exe	wscript.exe
PID 1416 wrote to memory of 952	1416	wscript.exe	wscript.exe
PID 1416 wrote to memory of 952	1416	wscript.exe	wscript.exe
PID 1416 wrote to memory of 1164	1416	wscript.exe	java.exe
PID 1416 wrote to memory of 1164	1416	wscript.exe	java.exe
PID 1416 wrote to memory of 1164	1416	wscript.exe	java.exe
PID 1164 wrote to memory of 1008	1164	java.exe	java.exe
PID 1164 wrote to memory of 1008	1164	java.exe	java.exe
PID 1164 wrote to memory of 1008	1164	java.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:952

C:\Windows\System32\java.exe
"C:\Windows\System32\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\SM.jar"
3⤵
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SM.jar
Filesize
164KB

MD5
edf0e95033cb0df96be06c5088142288

SHA1
3972af92633203e7857ec0e4ae65246b32c83539

SHA256
9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

SHA512
b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

Download Submit
C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.js
Filesize
117KB

MD5
5ec7e975e42079dacb58ad5e712df35f

SHA1
6c963b465c7ddc9081add19f0c99eac3e969f819

SHA256
4be6ef286e027bd596340d08cc8640d213cff7fbf93638a2ccee267fa42512b8

SHA512
ca38464e394d43a8320baa24163cf3921a66ce3a87a8f4da7d20718ab6248319cb6d08de61509b81061d353da23033412fa9b121c14c2c32df5aa2859a7e13a8

Download Submit
C:\Users\Admin\SM.jar
Filesize
164KB

MD5
edf0e95033cb0df96be06c5088142288

SHA1
3972af92633203e7857ec0e4ae65246b32c83539

SHA256
9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

SHA512
b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

Download Submit
memory/952-55-0x0000000000000000-mapping.dmp

Download
memory/1008-70-0x0000000000000000-mapping.dmp

Download
memory/1008-82-0x0000000002390000-0x0000000005390000-memory.dmp

Filesize
48.0MB

Download
memory/1008-83-0x0000000002390000-0x0000000005390000-memory.dmp

Filesize
48.0MB

Download
memory/1164-56-0x0000000000000000-mapping.dmp

Download
memory/1164-69-0x0000000002150000-0x0000000005150000-memory.dmp

Filesize
48.0MB

Download
memory/1416-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads