vjw0rm | cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

General

Target

test.js
Size

609KB
MD5

0dd3d7d195a7d45f24c1f86c25b8bd73
SHA1

cb4142317dc5ca92ba2eee9aecc8809d34276ce4
SHA256

cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6
SHA512

63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0
SSDEEP

3072:vTwFRFxmzUmKvOERglXIjl7U0lVJSpHOcdKzPaKjaFeMXnsM4MkY9WZY5i/1RgHj:v+67ykgieRJ4Xp8Gl+stC/MxiP1YfoO

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 31 IoCs

flow	pid	Process
9	912	wscript.exe
10	1928	wscript.exe
11	1624	wscript.exe
12	1928	wscript.exe
13	1928	wscript.exe
16	1928	wscript.exe
18	1928	wscript.exe
20	1624	wscript.exe
22	912	wscript.exe
24	1928	wscript.exe
26	1928	wscript.exe
27	1928	wscript.exe
30	1928	wscript.exe
32	1624	wscript.exe
34	912	wscript.exe
36	1928	wscript.exe
37	1928	wscript.exe
38	1928	wscript.exe
44	1928	wscript.exe
46	1624	wscript.exe
47	912	wscript.exe
49	1928	wscript.exe
50	1928	wscript.exe
52	1928	wscript.exe
55	1928	wscript.exe
56	912	wscript.exe
58	1624	wscript.exe
60	1928	wscript.exe
62	1928	wscript.exe
63	1928	wscript.exe
64	1928	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVDUbxSgAX.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\test.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1624	576	wscript.exe	26
PID 576 wrote to memory of 1624	576	wscript.exe	26
PID 576 wrote to memory of 1624	576	wscript.exe	26
PID 576 wrote to memory of 1928	576	wscript.exe	27
PID 576 wrote to memory of 1928	576	wscript.exe	27
PID 576 wrote to memory of 1928	576	wscript.exe	27
PID 1928 wrote to memory of 912	1928	wscript.exe	28
PID 1928 wrote to memory of 912	1928	wscript.exe	28
PID 1928 wrote to memory of 912	1928	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\test.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1624
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\test.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.js

Filesize
609KB

MD5
0dd3d7d195a7d45f24c1f86c25b8bd73

SHA1
cb4142317dc5ca92ba2eee9aecc8809d34276ce4

SHA256
cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

SHA512
63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

Download Submit
C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js

Filesize
209KB

MD5
317f5e88c459ca95d712ff48993c684d

SHA1
f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

SHA256
a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

SHA512
49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

Download Submit
C:\Users\Admin\AppData\Roaming\ZVDUbxSgAX.js

Filesize
209KB

MD5
317f5e88c459ca95d712ff48993c684d

SHA1
f88d0ab3a59a54a5902e96f4aa11f73f26b9a01f

SHA256
a6d84d791efafee0828d9274a31dc208b93c2b662da97d6c32af5b03f74db296

SHA512
49ab4dc8a5a8718bd9089681bca3ab27ab4de7c6d4875ceae34009a764c68ef6ed6a51a35b8b0f7e79e423538376639bf26ec264c0e6c5dd81248fd5ece33e0a

Download Submit
C:\Users\Admin\AppData\Roaming\test.js

Filesize
609KB

MD5
0dd3d7d195a7d45f24c1f86c25b8bd73

SHA1
cb4142317dc5ca92ba2eee9aecc8809d34276ce4

SHA256
cc17a222a8b6e268ef29c4e4de39390b77f23fc6c45ea21dc9191ac45f15aea6

SHA512
63f0093605b0a4632a123dba5d999462025a6d99f9d2a310c53e0ab255526a297d3b370fae39c1f4b52ef1c591880fa90b0c45ab2fe8686f122c5c56b73023d0

Download Submit
memory/576-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing