vjw0rm | 1be2dc60fc190fa24ace0773da07977373d850d51766614a784219ae44e462a7

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRANSFERENCIA $112987.17.js
Size

14KB
MD5

eebdb2830ae3a8d54b21ef656b5f0666
SHA1

ccad487426e12ea32493045cc2dfcbf52377ca32
SHA256

1be2dc60fc190fa24ace0773da07977373d850d51766614a784219ae44e462a7
SHA512

ecaf8446de9d88089b87f16b149e24f27feea03eae1e2697a2bd54a557d3031aea1e2aeaaec25b63aa65b78359c3b104c3a3ac0f8713a751a3d6e10938dd47ff

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	3976	wscript.exe
10	1356	wscript.exe
11	1356	wscript.exe
13	1356	wscript.exe
14	1356	wscript.exe
17	1356	wscript.exe
18	1356	wscript.exe
21	1356	wscript.exe
24	1356	wscript.exe
27	1356	wscript.exe
28	1356	wscript.exe
29	1356	wscript.exe
30	1356	wscript.exe
31	1356	wscript.exe
32	1356	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnQAZClRMy.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnQAZClRMy.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3976 wrote to memory of 1356	3976	wscript.exe	wscript.exe
PID 3976 wrote to memory of 1356	3976	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA $112987.17.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnQAZClRMy.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HnQAZClRMy.js
Filesize
6KB

MD5
1328ea72158d920e1e2f7c30285d564a

SHA1
b76c06051f561638731d7a300abeddff2a1a9246

SHA256
b576844a45f963b8222a07e75bda407c1488df6ffe776fc31a3df7ead3c5ad3b

SHA512
b4aa3c82b7a4db86610011beddf26ef2fe5410bbbf882159247f8e4a891ef2fa31777fd605ce3ed6b74f1fe62bf179162e9bdead0fbed068ea1b5d83801efeee

Download Submit
memory/1356-132-0x0000000000000000-mapping.dmp

Download