vjw0rm | 355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc

General

Target

js (2).js
Size

68KB
MD5

c1c77d014849645fd2802f7e4f421bd1
SHA1

0ffe0908f44ba65fa664a1d6a82de61e71690845
SHA256

355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc
SHA512

f4b107e3123b3f52dbc3dd21c491acb1fc81f366f6ade87f8e1a2aa50695a26b86aa8d1e1c40139f8095577f1b2b211f788f9f9b0d9abf4f7a7ccb1e37df7329
SSDEEP

1536:eET4c9hSc/PbwG+j/UZABcxGI1BG0yz3pLS2Xmi0jd:eEsc9p/DT+kwI1BHw8

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 30 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
10	1132	wscript.exe
11	564	wscript.exe
12	716	wscript.exe
13	716	wscript.exe
14	716	wscript.exe
16	716	wscript.exe
19	716	wscript.exe
20	564	wscript.exe
22	1132	wscript.exe
24	716	wscript.exe
27	716	wscript.exe
28	716	wscript.exe
31	716	wscript.exe
34	564	wscript.exe
36	1132	wscript.exe
37	716	wscript.exe
38	716	wscript.exe
39	716	wscript.exe
45	716	wscript.exe
47	564	wscript.exe
49	1132	wscript.exe
50	716	wscript.exe
51	716	wscript.exe
53	716	wscript.exe
56	716	wscript.exe
58	1132	wscript.exe
60	564	wscript.exe
61	716	wscript.exe
63	716	wscript.exe
64	716	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MdLoMTMthZ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MdLoMTMthZ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MdLoMTMthZ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js (2).js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js (2).js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\js (2) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\js (2).js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\js (2) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\js (2).js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\js (2) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\js (2).js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\js (2) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\js (2).js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1036 wrote to memory of 564	1036	wscript.exe	wscript.exe
PID 1036 wrote to memory of 564	1036	wscript.exe	wscript.exe
PID 1036 wrote to memory of 564	1036	wscript.exe	wscript.exe
PID 1036 wrote to memory of 716	1036	wscript.exe	wscript.exe
PID 1036 wrote to memory of 716	1036	wscript.exe	wscript.exe
PID 1036 wrote to memory of 716	1036	wscript.exe	wscript.exe
PID 716 wrote to memory of 1132	716	wscript.exe	wscript.exe
PID 716 wrote to memory of 1132	716	wscript.exe	wscript.exe
PID 716 wrote to memory of 1132	716	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\js (2).js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:564

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\js (2).js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js

Filesize
16KB

MD5
2c9dd6febafc1246323d17d70cae26b8

SHA1
8b1b662992584acc1b64ca9626fd272c3f2d49be

SHA256
3a500edcc24ec6e223d86b32f60718e24bd3ee2b186524b627f4fe1783dfb3a5

SHA512
b69df04f7444437ce2835c898d4f1f209cb00184f4e55074e77dc2beaf72bc328ae6cfab25f459e6d7bcea987638dd17301884827d9896bf8ce6692b57ae11e2

Download Submit
C:\Users\Admin\AppData\Roaming\MdLoMTMthZ.js

Filesize
16KB

MD5
2c9dd6febafc1246323d17d70cae26b8

SHA1
8b1b662992584acc1b64ca9626fd272c3f2d49be

SHA256
3a500edcc24ec6e223d86b32f60718e24bd3ee2b186524b627f4fe1783dfb3a5

SHA512
b69df04f7444437ce2835c898d4f1f209cb00184f4e55074e77dc2beaf72bc328ae6cfab25f459e6d7bcea987638dd17301884827d9896bf8ce6692b57ae11e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MdLoMTMthZ.js

Filesize
16KB

MD5
2c9dd6febafc1246323d17d70cae26b8

SHA1
8b1b662992584acc1b64ca9626fd272c3f2d49be

SHA256
3a500edcc24ec6e223d86b32f60718e24bd3ee2b186524b627f4fe1783dfb3a5

SHA512
b69df04f7444437ce2835c898d4f1f209cb00184f4e55074e77dc2beaf72bc328ae6cfab25f459e6d7bcea987638dd17301884827d9896bf8ce6692b57ae11e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js (2).js

Filesize
68KB

MD5
c1c77d014849645fd2802f7e4f421bd1

SHA1
0ffe0908f44ba65fa664a1d6a82de61e71690845

SHA256
355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc

SHA512
f4b107e3123b3f52dbc3dd21c491acb1fc81f366f6ade87f8e1a2aa50695a26b86aa8d1e1c40139f8095577f1b2b211f788f9f9b0d9abf4f7a7ccb1e37df7329

Download Submit
C:\Users\Admin\AppData\Roaming\js (2).js

Filesize
68KB

MD5
c1c77d014849645fd2802f7e4f421bd1

SHA1
0ffe0908f44ba65fa664a1d6a82de61e71690845

SHA256
355d77dfeedf4cf7d5641618598a55b2571eb227c5f6cbda810acc143c4c2bcc

SHA512
f4b107e3123b3f52dbc3dd21c491acb1fc81f366f6ade87f8e1a2aa50695a26b86aa8d1e1c40139f8095577f1b2b211f788f9f9b0d9abf4f7a7ccb1e37df7329

Download Submit
memory/564-55-0x0000000000000000-mapping.dmp

Download
memory/716-57-0x0000000000000000-mapping.dmp

Download
memory/1036-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1132-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads