vjw0rm | cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

General

Target

test.js
Size

609KB
MD5

0dd3d7d195a7d45f24c1f86c25b8bd73
SHA1

cb4142317dc5ca92ba2eee9aecc8809d34276ce4
SHA256

cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6
SHA512

63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0
SSDEEP

3072:vTwFRFxmzUmKvOERglXIjl7U0lVJSpHOcdKzPaKjaFeMXnsM4MkY9WZY5i/1RgHj:v+67ykgieRJ4Xp8Gl+stC/MxiP1YfoO

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 30 IoCs

flow	pid	Process
10	1580	wscript.exe
11	764	wscript.exe
12	896	wscript.exe
13	896	wscript.exe
15	896	wscript.exe
19	896	wscript.exe
22	764	wscript.exe
23	896	wscript.exe
26	1580	wscript.exe
28	896	wscript.exe
30	896	wscript.exe
32	896	wscript.exe
35	896	wscript.exe
37	764	wscript.exe
38	1580	wscript.exe
41	896	wscript.exe
43	896	wscript.exe
45	896	wscript.exe
51	896	wscript.exe
54	1580	wscript.exe
55	764	wscript.exe
56	896	wscript.exe
59	896	wscript.exe
61	896	wscript.exe
64	896	wscript.exe
66	764	wscript.exe
68	1580	wscript.exe
69	896	wscript.exe
72	896	wscript.exe
74	896	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1580	872	wscript.exe	28
PID 872 wrote to memory of 1580	872	wscript.exe	28
PID 872 wrote to memory of 1580	872	wscript.exe	28
PID 872 wrote to memory of 896	872	wscript.exe	29
PID 872 wrote to memory of 896	872	wscript.exe	29
PID 872 wrote to memory of 896	872	wscript.exe	29
PID 896 wrote to memory of 764	896	wscript.exe	30
PID 896 wrote to memory of 764	896	wscript.exe	30
PID 896 wrote to memory of 764	896	wscript.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\test.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1580
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\test.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js

Filesize
209KB

MD5
317f5e88c459ca95d712ff48993c684d

SHA1
f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

SHA256
a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

SHA512
49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js

Filesize
609KB

MD5
0dd3d7d195a7d45f24c1f86c25b8bd73

SHA1
cb4142317dc5ca92ba2eee9aecc8809d34276ce4

SHA256
cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

SHA512
63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

Download Submit
C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js

Filesize
209KB

MD5
317f5e88c459ca95d712ff48993c684d

SHA1
f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

SHA256
a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

SHA512
49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

Download Submit
C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js

Filesize
209KB

MD5
317f5e88c459ca95d712ff48993c684d

SHA1
f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

SHA256
a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

SHA512
49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

Download Submit
C:\Users\Admin\AppData\Roaming\test.js

Filesize
609KB

MD5
0dd3d7d195a7d45f24c1f86c25b8bd73

SHA1
cb4142317dc5ca92ba2eee9aecc8809d34276ce4

SHA256
cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

SHA512
63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

Download Submit
memory/872-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing