vjw0rm | 3bf7f9438212e92917ba612befda26145945e04245e5dd738919661580a9fb1a

General

Target

Shipping Document PL&BL Draft.js
Size

375KB
MD5

ac65f796eeb20e70fd185fad624636f4
SHA1

c1e2bca904cb7a6e3300a34d279894f5f9a016eb
SHA256

3bf7f9438212e92917ba612befda26145945e04245e5dd738919661580a9fb1a
SHA512

fb9e46e1181d95dc488a192eef08dde2b13d65bbd8c2742af37004a4abf9192d66af86ca50e04ec0f5d0a49178d259eedb02344f3680214faa7020a656ec5378

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

7 1984 wscript.exe

flow	pid	process
7	1984	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EIGCyLgTZL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EIGCyLgTZL.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\EIGCyLgTZL.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1140 wrote to memory of 1984	1140	wscript.exe	wscript.exe
PID 1140 wrote to memory of 1984	1140	wscript.exe	wscript.exe
PID 1140 wrote to memory of 2808	1140	wscript.exe	java.exe
PID 1140 wrote to memory of 2808	1140	wscript.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EIGCyLgTZL.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1984

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"
2⤵
PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SM.jar
Filesize
164KB

MD5
edf0e95033cb0df96be06c5088142288

SHA1
3972af92633203e7857ec0e4ae65246b32c83539

SHA256
9712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049

SHA512
b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a

Download Submit
C:\Users\Admin\AppData\Roaming\EIGCyLgTZL.js
Filesize
30KB

MD5
fe5971f1bd03a7eae990dc85ae806a59

SHA1
7b6a5752572072ba5e43b56717a816b4b0277d48

SHA256
0a95fe05d32742d864e432ffc08155d6b428854177c966dffc53b74cdb16bc7f

SHA512
263c135e266733cd8a3062859eabde356393f40eb5ef1da610f8e8fb1be82bc7ae0e97be37846e6ad3ead458c675f33ee8533caf6389ad2815d8072ae170aaf6

Download Submit
memory/1984-130-0x0000000000000000-mapping.dmp

Download
memory/2808-155-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-167-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-152-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-153-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-154-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-132-0x0000000000000000-mapping.dmp

Download
memory/2808-156-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-138-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-170-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-174-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-176-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-177-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-179-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download
memory/2808-180-0x0000000002FE0000-0x0000000003FE0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads