vjw0rm | bb71355902607d2c6b880b49cbfce0c9fd98f03297e0836d3adbcbfba9ea5feb

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 07:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Payment.js
Size

28KB
MD5

359404b0cab1f6527c6f200437696451
SHA1

9da5f4937f158978047db38d38eb9bc20196dc8d
SHA256

bb71355902607d2c6b880b49cbfce0c9fd98f03297e0836d3adbcbfba9ea5feb
SHA512

3bd9c816a8ab8515f7a02b9085c6b321fc6fd7d49d8d8b5e42d274b4db606cfa3f927ddb5741aa94edfb40fa2b4d042fa26e6e98d967920f22ab90ecef04d122
SSDEEP

768:73PRmOQmiKb7OjxQIjkhqxOjrptJ4fOhnFT:7OmiQkkhjrFzN

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 23 IoCs

flow	pid	Process
7	3248	wscript.exe
9	2332	wscript.exe
15	3248	wscript.exe
21	3248	wscript.exe
24	3248	wscript.exe
26	2332	wscript.exe
32	3248	wscript.exe
33	3248	wscript.exe
36	3248	wscript.exe
37	2332	wscript.exe
40	3248	wscript.exe
41	3248	wscript.exe
42	3248	wscript.exe
43	2332	wscript.exe
44	3248	wscript.exe
45	3248	wscript.exe
46	3248	wscript.exe
47	2332	wscript.exe
48	3248	wscript.exe
49	3248	wscript.exe
50	3248	wscript.exe
51	2332	wscript.exe
52	3248	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QoWJFExORY.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QoWJFExORY.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2JZFR52JWJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2332	3248	wscript.exe	82
PID 3248 wrote to memory of 2332	3248	wscript.exe	82

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Payment.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QoWJFExORY.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\QoWJFExORY.js

Filesize
9KB

MD5
b887f638862355636804bbe6e55e3a94

SHA1
35b8933be5d930d4cf360f2e8652d3d3bffe601c

SHA256
c0a37899c089539026ac8580aa286cb460f3d0e0ba8b4a6c411b88fe84893bdd

SHA512
b8c8f0d59b368c407993ab9b6c561f50bdb750e4e8c858415f387f94bac96915238b427b4847258808395ceb5af30848dba322511384bbe2c052b273ba141317

Download Submit