vjw0rm | 880764b02a05b427918594f017fa9c1fa3e9e8255506d542c302eb93380b0be8

General

Target

Details.pdf.js
Size

562KB
MD5

cb59237d6204d65a220eac88ad0af4e5
SHA1

64304835929c67739b2aba280dcd0f9761925440
SHA256

880764b02a05b427918594f017fa9c1fa3e9e8255506d542c302eb93380b0be8
SHA512

ccd966e2c4e9715d0e46fe4e3c9f331c591757ffe184deaec93797271a77c12d86ad5e00d1b90fc4aa829a38016e3b38344bc711556c8026a0397f9d66bcea9a

Score

10^/10

vjw0rm warzonerat infostealer persistence rat trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 6 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Anew.exe	warzonerat
C:\Users\Admin\AppData\Roaming\Anew.exe	warzonerat
\Users\Admin\Documents\images.exe	warzonerat
\Users\Admin\Documents\images.exe	warzonerat
C:\Users\Admin\Documents\images.exe	warzonerat
C:\Users\Admin\Documents\images.exe	warzonerat

Blocklisted process makes network request 15 IoCs

Processes:

wscript.exe

flow	pid	process
4	1048	wscript.exe
6	1048	wscript.exe
7	1048	wscript.exe
9	1048	wscript.exe
10	1048	wscript.exe
11	1048	wscript.exe
13	1048	wscript.exe
14	1048	wscript.exe
15	1048	wscript.exe
17	1048	wscript.exe
18	1048	wscript.exe
21	1048	wscript.exe
24	1048	wscript.exe
27	1048	wscript.exe
29	1048	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

Anew.exeimages.exe

pid process

2008 Anew.exe
576 images.exe

pid	process
2008	Anew.exe
576	images.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\duRKcJnxZP.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\duRKcJnxZP.js	wscript.exe

Loads dropped DLL 2 IoCs

Processes:

Anew.exe

pid process

2008 Anew.exe
2008 Anew.exe

pid	process
2008	Anew.exe
2008	Anew.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeAnew.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\duRKcJnxZP.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images.exe = "C:\\Users\\Admin\\Documents\\images.exe"	Anew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1244 powershell.exe
1328 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1244 powershell.exe
Token: SeDebugPrivilege 1328 powershell.exe

pid	process
1244	powershell.exe
1328	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

wscript.exeAnew.exeimages.exe

description	pid	process	target process
PID 756 wrote to memory of 1048	756	wscript.exe	wscript.exe
PID 756 wrote to memory of 1048	756	wscript.exe	wscript.exe
PID 756 wrote to memory of 1048	756	wscript.exe	wscript.exe
PID 756 wrote to memory of 2008	756	wscript.exe	Anew.exe
PID 756 wrote to memory of 2008	756	wscript.exe	Anew.exe
PID 756 wrote to memory of 2008	756	wscript.exe	Anew.exe
PID 756 wrote to memory of 2008	756	wscript.exe	Anew.exe
PID 2008 wrote to memory of 1244	2008	Anew.exe	powershell.exe
PID 2008 wrote to memory of 1244	2008	Anew.exe	powershell.exe
PID 2008 wrote to memory of 1244	2008	Anew.exe	powershell.exe
PID 2008 wrote to memory of 1244	2008	Anew.exe	powershell.exe
PID 2008 wrote to memory of 576	2008	Anew.exe	images.exe
PID 2008 wrote to memory of 576	2008	Anew.exe	images.exe
PID 2008 wrote to memory of 576	2008	Anew.exe	images.exe
PID 2008 wrote to memory of 576	2008	Anew.exe	images.exe
PID 576 wrote to memory of 1328	576	images.exe	powershell.exe
PID 576 wrote to memory of 1328	576	images.exe	powershell.exe
PID 576 wrote to memory of 1328	576	images.exe	powershell.exe
PID 576 wrote to memory of 1328	576	images.exe	powershell.exe
PID 576 wrote to memory of 1760	576	images.exe	cmd.exe
PID 576 wrote to memory of 1760	576	images.exe	cmd.exe
PID 576 wrote to memory of 1760	576	images.exe	cmd.exe
PID 576 wrote to memory of 1760	576	images.exe	cmd.exe
PID 576 wrote to memory of 1760	576	images.exe	cmd.exe
PID 576 wrote to memory of 1760	576	images.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Details.pdf.js
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\duRKcJnxZP.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1048

C:\Users\Admin\AppData\Roaming\Anew.exe
"C:\Users\Admin\AppData\Roaming\Anew.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Users\Admin\Documents\images.exe
"C:\Users\Admin\Documents\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Anew.exe
Filesize
131KB

MD5
db85d99c2bd8a7d6b1a6e4fdda9dedc7

SHA1
02561516bf81162120b3d1a741e232cf6962173b

SHA256
898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

SHA512
ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

Download Submit
C:\Users\Admin\AppData\Roaming\Anew.exe
Filesize
131KB

MD5
db85d99c2bd8a7d6b1a6e4fdda9dedc7

SHA1
02561516bf81162120b3d1a741e232cf6962173b

SHA256
898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

SHA512
ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9a99cead739ada0570fb9ab6cad29003

SHA1
704bf42fe9f036b40877f8195636207e72eb642d

SHA256
3fa4d2aae3c983f26e8b105a8da27543b900cfd3f0d5d6dd4886756f8c9b8c27

SHA512
c95c0127a838ab1b5862124f94844d4a308305c587b6f201d1491f3bdad15ed94cdfb7b59d7a5b7e631a3963fcfd8047c982b565b80e1a78c53b5263ccb0c53f

Download Submit
C:\Users\Admin\AppData\Roaming\duRKcJnxZP.js
Filesize
117KB

MD5
2ceda72d46215115db2fd420d1b2b572

SHA1
aa5df32f61fef685e1ba28715c68a60f54b27de7

SHA256
1a01f5780fe39194f89c220a0e899f028478c9312977d176b3c9e2db544b6e96

SHA512
924e847d376e2c33dfe7e14ab7120a63264396c2cd293a7c20b4df864fb3a170c7fe7abc42bfecce89cb1ce0c42709a91ec0cf76ddf8707088a6c1278544f055

Download Submit
C:\Users\Admin\Documents\images.exe
Filesize
131KB

MD5
db85d99c2bd8a7d6b1a6e4fdda9dedc7

SHA1
02561516bf81162120b3d1a741e232cf6962173b

SHA256
898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

SHA512
ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

Download Submit
C:\Users\Admin\Documents\images.exe
Filesize
131KB

MD5
db85d99c2bd8a7d6b1a6e4fdda9dedc7

SHA1
02561516bf81162120b3d1a741e232cf6962173b

SHA256
898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

SHA512
ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

Download Submit
\Users\Admin\Documents\images.exe
Filesize
131KB

MD5
db85d99c2bd8a7d6b1a6e4fdda9dedc7

SHA1
02561516bf81162120b3d1a741e232cf6962173b

SHA256
898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

SHA512
ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

Download Submit
\Users\Admin\Documents\images.exe
Filesize
131KB

MD5
db85d99c2bd8a7d6b1a6e4fdda9dedc7

SHA1
02561516bf81162120b3d1a741e232cf6962173b

SHA256
898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

SHA512
ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

Download Submit
memory/576-68-0x0000000000000000-mapping.dmp

Download
memory/756-54-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

Filesize
8KB

Download
memory/1048-55-0x0000000000000000-mapping.dmp

Download
memory/1244-62-0x0000000000000000-mapping.dmp

Download
memory/1244-64-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1244-65-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1328-72-0x0000000000000000-mapping.dmp

Download
memory/1328-75-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-76-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-77-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2008-59-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/2008-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads