vjw0rm | b9bb061078e650e5b8f245119408bc1f25ccde688102d9f82ca499611638dfea

General

Target

CREDIT NOTE.js
Size

47KB
MD5

771ee97bd2e61801d47f37b60a69d1c8
SHA1

b77ea83d939bc5ce8ceff9668488f8045ba58a0b
SHA256

25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
SHA512

2ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
SSDEEP

768:bH5hjkXAZJMdHG7TH8eA0oWz6nSwsmjX1uMW7/1W8eXBnKX2CzHsPOux4GsPje//:bH5hIwZ+dHk8n0ISwXZ8OBKX2yKCXlgT

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 24 IoCs

flow	pid	Process
11	1992	wscript.exe
12	2036	wscript.exe
13	1988	wscript.exe
14	1988	wscript.exe
17	1988	wscript.exe
19	2036	wscript.exe
21	1992	wscript.exe
24	1988	wscript.exe
25	1988	wscript.exe
28	1988	wscript.exe
32	1992	wscript.exe
33	2036	wscript.exe
34	1988	wscript.exe
37	1988	wscript.exe
39	1988	wscript.exe
44	1988	wscript.exe
47	1992	wscript.exe
48	2036	wscript.exe
49	1988	wscript.exe
51	1988	wscript.exe
55	1988	wscript.exe
58	1992	wscript.exe
59	2036	wscript.exe
61	1988	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2036	1484	wscript.exe	28
PID 1484 wrote to memory of 2036	1484	wscript.exe	28
PID 1484 wrote to memory of 2036	1484	wscript.exe	28
PID 1484 wrote to memory of 1988	1484	wscript.exe	29
PID 1484 wrote to memory of 1988	1484	wscript.exe	29
PID 1484 wrote to memory of 1988	1484	wscript.exe	29
PID 1988 wrote to memory of 1992	1988	wscript.exe	31
PID 1988 wrote to memory of 1992	1988	wscript.exe	31
PID 1988 wrote to memory of 1992	1988	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2036
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CREDIT NOTE.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CREDIT NOTE.js

Filesize
47KB

MD5
771ee97bd2e61801d47f37b60a69d1c8

SHA1
b77ea83d939bc5ce8ceff9668488f8045ba58a0b

SHA256
25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d

SHA512
2ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js

Filesize
47KB

MD5
771ee97bd2e61801d47f37b60a69d1c8

SHA1
b77ea83d939bc5ce8ceff9668488f8045ba58a0b

SHA256
25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d

SHA512
2ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js

Filesize
8KB

MD5
2f2198533289a4dac6f4406539f5b0f5

SHA1
f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58

SHA256
2c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4

SHA512
cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5

Download Submit
C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js

Filesize
8KB

MD5
2f2198533289a4dac6f4406539f5b0f5

SHA1
f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58

SHA256
2c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4

SHA512
cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5

Download Submit
C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js

Filesize
8KB

MD5
2f2198533289a4dac6f4406539f5b0f5

SHA1
f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58

SHA256
2c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4

SHA512
cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5

Download Submit
memory/1484-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing