vjw0rm | 793e966b5c476e439785b630c25d47748b528efb0c4b337e41aa6b64e70fd117

General

Target

e-Receipt#009.js
Size

163KB
MD5

1b4e9f90c6dcd35504ea999ba8aa54a1
SHA1

06721639da5b24773f5543e0684a2247911bda92
SHA256

793e966b5c476e439785b630c25d47748b528efb0c4b337e41aa6b64e70fd117
SHA512

da5bb7d79fadda9b4a5207e411bc689b805990388ed2cf0f98570ddc2a2b0c81d64c6b9a2c8db505a57ffbb67cdb432a5427810f1c6c0daac8175336cad959f7

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 30 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
7	1656	wscript.exe
8	336	wscript.exe
10	336	wscript.exe
12	1656	wscript.exe
13	336	wscript.exe
15	1656	wscript.exe
18	336	wscript.exe
20	1656	wscript.exe
21	336	wscript.exe
23	1656	wscript.exe
24	336	wscript.exe
26	1656	wscript.exe
29	336	wscript.exe
31	1656	wscript.exe
32	336	wscript.exe
34	1656	wscript.exe
35	336	wscript.exe
36	1656	wscript.exe
40	336	wscript.exe
41	1656	wscript.exe
43	336	wscript.exe
45	1656	wscript.exe
46	336	wscript.exe
47	1656	wscript.exe
51	336	wscript.exe
52	1656	wscript.exe
54	336	wscript.exe
56	1656	wscript.exe
57	336	wscript.exe
59	1656	wscript.exe

Drops startup file 3 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlDPzaYWSj.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e-Receipt#009.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlDPzaYWSj.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\nlDPzaYWSj.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYXNMD0WI5 = "\"C:\\Users\\Admin\\e-Receipt#009.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1252 schtasks.exe

pid	process
1252	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 336 wrote to memory of 1656	336	wscript.exe	wscript.exe
PID 336 wrote to memory of 1656	336	wscript.exe	wscript.exe
PID 336 wrote to memory of 1656	336	wscript.exe	wscript.exe
PID 336 wrote to memory of 1252	336	wscript.exe	schtasks.exe
PID 336 wrote to memory of 1252	336	wscript.exe	schtasks.exe
PID 336 wrote to memory of 1252	336	wscript.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\e-Receipt#009.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nlDPzaYWSj.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1656

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\e-Receipt#009.js
2⤵
- Creates scheduled task(s)
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nlDPzaYWSj.js
Filesize
58KB

MD5
54f543b5d40a98120f956b0bde522fa9

SHA1
bedab14ffa732c74366d192b8d3c9b393682960e

SHA256
446646baa7534faf7066fb842934ae5e6167680c0383b44e0fef9513549bc0ac

SHA512
e463ed8564d8fb88ab45dd68d29936a068f36cbbdf2623903e68b173a24e907ebad48ab05836dfc30b58fc278dc170a301364cb396b42cf787efd9fbf3ccb76e

Download Submit
memory/336-54-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1252-57-0x0000000000000000-mapping.dmp

Download
memory/1656-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads