vjw0rm | dbd9fa524d604f5176c0a630dc6a33ad882a4ad924f32d0d8e926b2282830b4d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO #201022.js
Size

21KB
MD5

f74ced094ebe99fa0915b28a2a8a9fc7
SHA1

49f432ab21bb4c1ea62ddbec657f1738755ebf20
SHA256

dbd9fa524d604f5176c0a630dc6a33ad882a4ad924f32d0d8e926b2282830b4d
SHA512

a9d680d940b7c39b0a4cea264aafd2efa4fbfb8e707c36ec6cfc427be0c80cc43effd3e49ddfc8beeb8f6f2eef01b91683729cca058994270ec111d00efb69ec
SSDEEP

384:caxGJXaVaJGvXNJvkHqBbY4Axobnu+1dHCrfnep0mKbx2R6j98FTApF0Z6/tfmBS:cXJXdkNqHqBU4CobuAsU01b8Teo61feS

Score

10^/10

vjw0rm trojan worm

Malware Config

Extracted

Family

vjw0rm

http://breakchian.duckdns.org:7974

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 7 IoCs

flow	pid	Process
7	2276	wscript.exe
8	1768	wscript.exe
30	1768	wscript.exe
36	1768	wscript.exe
39	1768	wscript.exe
41	1768	wscript.exe
42	1768	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HoXGqtwWjU.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HoXGqtwWjU.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1768	2276	wscript.exe	77
PID 2276 wrote to memory of 1768	2276	wscript.exe	77

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO #201022.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HoXGqtwWjU.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HoXGqtwWjU.js

Filesize
7KB

MD5
c4621e8345416c3aaee4a93039ca7517

SHA1
41ff6bb7761d0670af84a51a4702297c83d36aab

SHA256
79e7e26a36d7b9c4977d1b852edbb3d80ff709a0777d2e164dd101ac0106fb59

SHA512
d62a17418653ea5fc1d43e738f8e0a22a0d626026b9837b674239d5e2f51a873d7de1006928a4841975fd79f8d25bfc2a08bd326d6f777749964e3481a1621f3

Download Submit