vjw0rm | bd93c23a662de94fafd902c069a4999e651fe3333034eec1deb09c2e26a6dd3b

General

Target

IMG-02100.js
Size

347KB
MD5

e869daed2a101e37df329f54350baac5
SHA1

82cd02f5668b730646b1ead1c23e72ccaedb56f0
SHA256

7d87428b37ec7ffe4e99b34737d777ba2df35b51f990488d68ecaa6521de1164
SHA512

12f7832246e43d77ceeaded76f82ed06ff81f95ca97bb1fe994f32479dcb365d9a43f799b5ca06fc6e791e31cf7637777b58241c93133bac8d8282e60f3c9c11

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 38 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
6	3100	wscript.exe
7	4420	wscript.exe
14	3100	wscript.exe
15	4420	wscript.exe
22	3100	wscript.exe
24	4420	wscript.exe
25	3100	wscript.exe
28	4420	wscript.exe
34	3100	wscript.exe
36	3100	wscript.exe
38	4420	wscript.exe
39	3100	wscript.exe
43	4420	wscript.exe
46	3100	wscript.exe
47	4420	wscript.exe
48	3100	wscript.exe
50	4420	wscript.exe
51	3100	wscript.exe
53	3100	wscript.exe
54	4420	wscript.exe
55	3100	wscript.exe
56	4420	wscript.exe
57	3100	wscript.exe
59	4420	wscript.exe
60	3100	wscript.exe
61	4420	wscript.exe
62	3100	wscript.exe
63	3100	wscript.exe
64	4420	wscript.exe
65	3100	wscript.exe
66	4420	wscript.exe
67	3100	wscript.exe
68	4420	wscript.exe
69	3100	wscript.exe
70	4420	wscript.exe
71	3100	wscript.exe
72	3100	wscript.exe
73	4420	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hworm.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hworm.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ordahWuzjJ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ordahWuzjJ.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hworm.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hworm.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\ordahWuzjJ.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3768 wrote to memory of 4420	3768	wscript.exe	wscript.exe
PID 3768 wrote to memory of 4420	3768	wscript.exe	wscript.exe
PID 3768 wrote to memory of 3100	3768	wscript.exe	wscript.exe
PID 3768 wrote to memory of 3100	3768	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-02100.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ordahWuzjJ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4420

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hworm.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hworm.vbs
Filesize
13KB

MD5
790a8cad8ec90292bf077c129486ec19

SHA1
70f5de19aef552ee45bd31de1bf1e2e05020631f

SHA256
cd003f5ce0dde74b9793685c549a6883b405fca4d533f27fbb050199a2339a28

SHA512
ba7ebaaa57729630aaaff34946122a6d9731a7c5264274803d6629fe6b63e5cc0703e4f41218bcbb56207da4eac686bc23ec8c13b19173205db66826594d7ec9

Download Submit
C:\Users\Admin\AppData\Roaming\ordahWuzjJ.js
Filesize
117KB

MD5
ab7b0b2a8b0400680902921c621c567e

SHA1
4a13aece7e5067de9bf964b2da971674c1ffb8b9

SHA256
ce7413534151201cc50e7fe17224c127c1e87556c98af5a507a3a579286536a9

SHA512
4716077db2ea5b520bb6207eb6f5dc6761c5814023a602830cf9164f37eea2ca083a1cae3670b88234049de7ee53e784b1244fdf7d16ddbc86f694a7418bdf80

Download Submit
memory/3100-131-0x0000000000000000-mapping.dmp

Download
memory/4420-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads