vjw0rm | dbd9fa524d604f5176c0a630dc6a33ad882a4ad924f32d0d8e926b2282830b4d

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO #201022.js
Size

21KB
MD5

f74ced094ebe99fa0915b28a2a8a9fc7
SHA1

49f432ab21bb4c1ea62ddbec657f1738755ebf20
SHA256

dbd9fa524d604f5176c0a630dc6a33ad882a4ad924f32d0d8e926b2282830b4d
SHA512

a9d680d940b7c39b0a4cea264aafd2efa4fbfb8e707c36ec6cfc427be0c80cc43effd3e49ddfc8beeb8f6f2eef01b91683729cca058994270ec111d00efb69ec
SSDEEP

384:caxGJXaVaJGvXNJvkHqBbY4Axobnu+1dHCrfnep0mKbx2R6j98FTApF0Z6/tfmBS:cXJXdkNqHqBU4CobuAsU01b8Teo61feS

Score

10^/10

vjw0rm trojan worm

Malware Config

Extracted

Family

vjw0rm

http://breakchian.duckdns.org:7974

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
7	1640	wscript.exe
8	1988	wscript.exe
11	1640	wscript.exe
14	1640	wscript.exe
18	1640	wscript.exe
22	1640	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HoXGqtwWjU.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HoXGqtwWjU.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1640	1988	wscript.exe	26
PID 1988 wrote to memory of 1640	1988	wscript.exe	26
PID 1988 wrote to memory of 1640	1988	wscript.exe	26

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO #201022.js"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HoXGqtwWjU.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HoXGqtwWjU.js

Filesize
7KB

MD5
c4621e8345416c3aaee4a93039ca7517

SHA1
41ff6bb7761d0670af84a51a4702297c83d36aab

SHA256
79e7e26a36d7b9c4977d1b852edbb3d80ff709a0777d2e164dd101ac0106fb59

SHA512
d62a17418653ea5fc1d43e738f8e0a22a0d626026b9837b674239d5e2f51a873d7de1006928a4841975fd79f8d25bfc2a08bd326d6f777749964e3481a1621f3

Download Submit
memory/1988-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download