vjw0rm | bc6b3044943128e9f326b4c0bde41375596254ac5fb4f0e8c00c2eef33688247

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2022, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB#6375872554.pdf.js
Size

267KB
MD5

641d80a70da56a8b33cbaff530cf6d2e
SHA1

9dc182e6dd82a28c2546583bdd2c4d7a86f70aeb
SHA256

bc6b3044943128e9f326b4c0bde41375596254ac5fb4f0e8c00c2eef33688247
SHA512

f0de610da7b3be90db1c591a973fde1da4f6c2e6b27e388d3d7086e1ad975de1d9c645beff98c0b7f193438839d29a36c059f17fe874d7d4ce31feda39228481
SSDEEP

3072:U/YirPgDvzlvtD636gUNgUmMuUbemcVGHQmC+DYUzSsqbDrCPx7Yvgke/ikIS363:JpvtD6DumBVGHbrSPrCpkvM3RlP6Rb

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 38 IoCs

flow	pid	Process
6	3988	wscript.exe
7	1276	wscript.exe
9	1276	wscript.exe
19	1276	wscript.exe
20	3988	wscript.exe
26	1276	wscript.exe
27	3988	wscript.exe
28	1276	wscript.exe
30	3988	wscript.exe
33	1276	wscript.exe
42	1276	wscript.exe
44	3988	wscript.exe
45	1276	wscript.exe
46	3988	wscript.exe
49	1276	wscript.exe
51	3988	wscript.exe
52	1276	wscript.exe
56	1276	wscript.exe
57	3988	wscript.exe
58	1276	wscript.exe
59	3988	wscript.exe
60	1276	wscript.exe
61	3988	wscript.exe
62	1276	wscript.exe
63	1276	wscript.exe
64	3988	wscript.exe
65	1276	wscript.exe
66	3988	wscript.exe
67	1276	wscript.exe
68	3988	wscript.exe
69	1276	wscript.exe
70	1276	wscript.exe
71	3988	wscript.exe
72	1276	wscript.exe
73	3988	wscript.exe
74	1276	wscript.exe
75	3988	wscript.exe
76	1276	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#6375872554.pdf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#6375872554.pdf.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ETjJkVMSdD.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ETjJkVMSdD.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB#6375872554 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#6375872554.pdf.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB#6375872554 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#6375872554.pdf.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3988	1276	wscript.exe	81
PID 1276 wrote to memory of 3988	1276	wscript.exe	81

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB#6375872554.pdf.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ETjJkVMSdD.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ETjJkVMSdD.js

Filesize
8KB

MD5
2e63f3ff7040a45ea0bc347772548885

SHA1
615f3e2228e727f1c2f161cba09cda1bea0025fe

SHA256
1b3200096468c60b55ec3ffcc65176da93cc1e34279c57b040e0c1c170472674

SHA512
3f0f826035c71e35dd72782fb286ddaecb9ae7b881ef48e34960456528ab036f690e521a84e9bee4376608f7fb3aec3abc8877ee49f093cf2ebbf35be501f603

Download Submit