vjw0rm | f6cf2d7c500799688ffa713b0a82e8d5625ce73dc0c16ab0aecc6bdf20b38458

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Transfer_receipt_jpg.js
Size

29KB
MD5

5333fab02eabde7a8e9c0d8a0b838237
SHA1

9ac71fd8fa80f40f88a1b4e9e8800db9e8c579fe
SHA256

f6cf2d7c500799688ffa713b0a82e8d5625ce73dc0c16ab0aecc6bdf20b38458
SHA512

3693afd65f6c1e578f35bacd9aa894a77fef91202d5a1542f95e40b7d250b953adc737a378f4bff98604b9ad50d32b6da95039ad004ee46bae6f6522b1b14f16

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

wscript.exe

flow	pid	process
6	776	wscript.exe
14	776	wscript.exe
26	776	wscript.exe
36	776	wscript.exe
38	776	wscript.exe
41	776	wscript.exe
44	776	wscript.exe
47	776	wscript.exe
48	776	wscript.exe
49	776	wscript.exe
51	776	wscript.exe
52	776	wscript.exe
53	776	wscript.exe
54	776	wscript.exe
55	776	wscript.exe
56	776	wscript.exe
57	776	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer_receipt_jpg.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description pid process target process

PID 776 wrote to memory of 64 776 wscript.exe wscript.exe
PID 776 wrote to memory of 64 776 wscript.exe wscript.exe

description	pid	process	target process
PID 776 wrote to memory of 64	776	wscript.exe	wscript.exe
PID 776 wrote to memory of 64	776	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Transfer_receipt_jpg.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.js"
2⤵
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MxFmKSzNKl.js
Filesize
8KB

MD5
3f011675c4087298e1fcf32859d4449c

SHA1
7786493022e231a55e5588ae22c6b8006bc070c2

SHA256
a508df80606c93588c0278b2fbb88bef2315963dcfe2276347baa1a5dc078405

SHA512
aff5ad1afb97f55303a2dc7f83443d6806cd294a119d68b4d464ab2b6884fed0c13a40127d3dbfda095fad14f72ec0bb2194154807eacbfc61026ab4acfd107c

Download Submit
memory/64-130-0x0000000000000000-mapping.dmp

Download