vjw0rm | 04a29f2129342754634281d655ea4d01ee9197fdb25698a3683bf724e95af3e2

General

Target

eVoucher.js
Size

15KB
MD5

b4d2f443f05f58a96cb91b6d49f3a94e
SHA1

f91885a8a8c5acb059a33a9a2f6b137aafac117c
SHA256

04a29f2129342754634281d655ea4d01ee9197fdb25698a3683bf724e95af3e2
SHA512

b0192fee21a531e162175e2a89624a85cf5e0e10e5c8e4e982ae4a0dda43c78cbeac5cecdc5de90cb1902ddd66053cfcb4f8c230c0759148c4779f3d6b891a6a

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 10 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
2	4848	wscript.exe
5	4848	wscript.exe
7	4848	wscript.exe
9	4848	wscript.exe
11	4564	wscript.exe
36	4564	wscript.exe
46	4564	wscript.exe
51	4564	wscript.exe
52	4564	wscript.exe
53	4564	wscript.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

icekid.exe

pid process

1716 icekid.exe

pid	process
1716	icekid.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 3 IoCs

Processes:

icekid.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	icekid.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UBkYyCfiCr.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UBkYyCfiCr.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

icekid.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	icekid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	icekid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	icekid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	icekid.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UBkYyCfiCr.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	wscript.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3344 powershell.exe
3344 powershell.exe
5084 powershell.exe
5084 powershell.exe
4352 powershell.exe
4352 powershell.exe

pid	process
3344	powershell.exe
3344	powershell.exe
5084	powershell.exe
5084	powershell.exe
4352	powershell.exe
4352	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

icekid.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeRemoteShutdownPrivilege	1716	icekid.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.exeicekid.execmd.exe

description	pid	process	target process
PID 4848 wrote to memory of 4564	4848	wscript.exe	wscript.exe
PID 4848 wrote to memory of 4564	4848	wscript.exe	wscript.exe
PID 4848 wrote to memory of 1716	4848	wscript.exe	icekid.exe
PID 4848 wrote to memory of 1716	4848	wscript.exe	icekid.exe
PID 4848 wrote to memory of 1716	4848	wscript.exe	icekid.exe
PID 1716 wrote to memory of 1288	1716	icekid.exe	cmd.exe
PID 1716 wrote to memory of 1288	1716	icekid.exe	cmd.exe
PID 1716 wrote to memory of 1288	1716	icekid.exe	cmd.exe
PID 1288 wrote to memory of 3344	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 3344	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 3344	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 5084	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 5084	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 5084	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 4352	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 4352	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 4352	1288	cmd.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\eVoucher.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UBkYyCfiCr.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4564

C:\Users\Admin\AppData\Roaming\icekid.exe
"C:\Users\Admin\AppData\Roaming\icekid.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\ICE X\.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
52KB

MD5
6b1ddfa379c0ff2bb8bd68f37796cbde

SHA1
14235bffc65aab385005f5147f9bbc4a7a26c5fe

SHA256
d4b19d49ccc92a831524ab5c2d4a5026a4fd1bd269f7adaaa6a4f4c291a6233f

SHA512
57a9de1dc8d820c52968557931236201dff0177a0d341cf5557c753f87bbc1d2cb484071c0c6de2997e9681cda614500032563409b7f0a4bc71c2fd662666be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e659ed5e2f97c9a456c307e5000d64e4

SHA1
f1518fa55e04b641f06da7e60a57a1b28dcce25c

SHA256
a1b9dc9bf8d4b2eee0f631fc173429605812c999f5c60813ec6c9a2471eda134

SHA512
f9619f078134e8714d483a75bec4d8880a1413b54436522b663bf10cc6cd63ed728141ea08b9c3173c746164691dbe3084993c9ac7e7e4de10bd30f17ea325c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
d06bd330bc5e3bdf8671aeb08fd8013b

SHA1
dfff7b6f6bb6353f0dabc21ebf9181b227f3c182

SHA256
7ac431e092c816ab6657952b16745af415980676988f4784b20dbddc03a61b46

SHA512
f73d6f20223515ddb3d7b58c3e45c9dcf223733665b93d07a62db0d8ed62908bdb1411dbdd59266bc9f5d76f090875fc214c033f315c37f3350b31e2647e057e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
C:\Users\Admin\AppData\Roaming\UBkYyCfiCr.js
Filesize
6KB

MD5
82d8d55e742ea8bea7158934a3fb461a

SHA1
45121cc1d48fab1b0d51dc44bde0797b85a083ce

SHA256
e997d4606b047f6df4b5700761ce282ab321a14ce8235eae195e3f6c8dec21e4

SHA512
988b2272538a3a61578d49cfc2f1b5d79a98557c469ac6ce4a02e1ae1f985d5235d6236efa593efa8841b58723c6dd8c6525e7865b1c93685d460e017042c121

Download Submit
C:\Users\Admin\AppData\Roaming\icekid.exe
Filesize
347KB

MD5
d2c56c415bfce587d346ba4b1858445a

SHA1
837d56d2724a7734ab8ceff4f85f45387eca7741

SHA256
18a815716147275786420495730409e4b54cea2a008db99d840a4adcc019dabe

SHA512
1ed0f830e0d6fa20f957a12121e9056569017555a97553f2944efdd8a777746a15508ac1c656025fae13ae05d3ae48ae533974a38db6b77a4de70544d62bc150

Download Submit
C:\Users\Admin\AppData\Roaming\icekid.exe
Filesize
347KB

MD5
d2c56c415bfce587d346ba4b1858445a

SHA1
837d56d2724a7734ab8ceff4f85f45387eca7741

SHA256
18a815716147275786420495730409e4b54cea2a008db99d840a4adcc019dabe

SHA512
1ed0f830e0d6fa20f957a12121e9056569017555a97553f2944efdd8a777746a15508ac1c656025fae13ae05d3ae48ae533974a38db6b77a4de70544d62bc150

Download Submit
memory/1288-135-0x0000000000000000-mapping.dmp

Download
memory/1716-132-0x0000000000000000-mapping.dmp

Download
memory/3344-146-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/3344-139-0x0000000005230000-0x0000000005858000-memory.dmp

Filesize
6.2MB

Download
memory/3344-142-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/3344-143-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/3344-144-0x0000000006590000-0x00000000065C2000-memory.dmp

Filesize
200KB

Download
memory/3344-145-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download
memory/3344-137-0x0000000000000000-mapping.dmp

Download
memory/3344-147-0x00000000079D0000-0x000000000804A000-memory.dmp

Filesize
6.5MB

Download
memory/3344-148-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/3344-149-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/3344-150-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/3344-151-0x0000000007380000-0x000000000738E000-memory.dmp

Filesize
56KB

Download
memory/3344-152-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/3344-153-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/3344-138-0x0000000002690000-0x00000000026C6000-memory.dmp

Filesize
216KB

Download
memory/3344-140-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/3344-141-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/4352-159-0x0000000000000000-mapping.dmp

Download
memory/4352-161-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download
memory/4564-130-0x0000000000000000-mapping.dmp

Download
memory/5084-154-0x0000000000000000-mapping.dmp

Download
memory/5084-158-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads