vjw0rm | 29ef503bce31e24fa949e6eac1c068019b0ef4d4f9ce91af55acde6d06698541

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO.js
Size

16KB
MD5

d9cf358d33e0b914b807f31d6c58c5a7
SHA1

8eea7bf764edac96eb2a06f3a7301f6cec2d2bb8
SHA256

29ef503bce31e24fa949e6eac1c068019b0ef4d4f9ce91af55acde6d06698541
SHA512

06802248fa1440aceb565efdad5ac752d6f2469add00a0e1decc3e398b53a2975f80b55924fe98402c0e3c2ca4850c842a77b1ba189ea0067934028a6e90f6a9
SSDEEP

192:BdmxVneKi3B7oB8AmIufpDU1qLyAFsagU13pR8UAEbfK+bE+1FauvG6JY46272ii:eViR0B81Is61aykvpRrK+bZR72twdu

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

http://212.193.30.230:6505

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
6	1648	wscript.exe
7	1584	wscript.exe
10	1648	wscript.exe
14	1648	wscript.exe
18	1648	wscript.exe
22	1648	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EUdyiwsLkK.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EUdyiwsLkK.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\2JZFR52JWJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1648	1584	wscript.exe	26
PID 1584 wrote to memory of 1648	1584	wscript.exe	26
PID 1584 wrote to memory of 1648	1584	wscript.exe	26

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PO.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EUdyiwsLkK.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EUdyiwsLkK.js

Filesize
5KB

MD5
fdb563c457afbde4219e1a83f742a8be

SHA1
8e217d47db9654e839273115479a2121745250a5

SHA256
eedb0f6bd119171b632c131672eb59ac547464ddaf727a062af3c4b27edfbe49

SHA512
0c8eacd5a8d82fe264a11611630211438ae3721f93a4610a530312d08ae7e87689527c82640a22b7287c2d38add261ed75c4fbcdb0e27f427726c920b623a81c

Download Submit
memory/1584-54-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download