vjw0rm | 6f42ed8f3470aa85f36c0f445793e24d5ad2c7637df440bfe3ebc2816a42f8ba

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e.js
Size

271KB
MD5

56874c0b5d9fe1a62597098be19113cb
SHA1

235b0c6b6ff8c2c667a3aca376e6d09bee039eee
SHA256

2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e
SHA512

a1039448cf03ca10ef9d05cb3ebf418c45e2083964c9a66f7009beb7b36db41a979618813d0abf6cd03dc38c7709bf1aebe9cd11067afad2358a2145da109f2e
SSDEEP

6144:jCPjENIBMqnbvmNETFwauvrb7gOhpFtwWIVyWT:jCPjENI6Cm6zSP9pFKWK

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

flow	pid	Process
4	2040	WScript.exe
13	2040	WScript.exe
14	2040	WScript.exe
17	2040	WScript.exe
18	2040	WScript.exe
19	2040	WScript.exe
21	2040	WScript.exe
22	2040	WScript.exe
23	2040	WScript.exe
25	2040	WScript.exe
26	2040	WScript.exe
27	2040	WScript.exe
29	2040	WScript.exe
30	2040	WScript.exe
31	2040	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeunXSGcHu.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeunXSGcHu.js	WScript.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\zefatlwjjg.txt	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2040	880	wscript.exe	27
PID 880 wrote to memory of 2040	880	wscript.exe	27
PID 880 wrote to memory of 2040	880	wscript.exe	27
PID 880 wrote to memory of 1724	880	wscript.exe	28
PID 880 wrote to memory of 1724	880	wscript.exe	28
PID 880 wrote to memory of 1724	880	wscript.exe	28
PID 1724 wrote to memory of 1072	1724	javaw.exe	32
PID 1724 wrote to memory of 1072	1724	javaw.exe	32
PID 1724 wrote to memory of 1072	1724	javaw.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e.js
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\KeunXSGcHu.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2040
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zefatlwjjg.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files\Java\jre7\bin\java.exe
    "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\zefatlwjjg.txt"
    3⤵
    PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre7\zefatlwjjg.txt

Filesize
91KB

MD5
19d1b98ca53a49b901f056c6da2478d2

SHA1
c94af0fd581ed91814de3f01be03e42e143493dd

SHA256
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

SHA512
ae74c208cf339c2831d9b5574826538f9c48766d7a94ec3632569d06ec0306e271eab539bde4cbeeff632f5c2d043b7b64cb25cf575b67b4fddff60e3adaf198

Download Submit
C:\Users\Admin\AppData\Roaming\KeunXSGcHu.js

Filesize
34KB

MD5
ec2f8b54b8cfbd39beb6b801a557bf47

SHA1
707d30d858c61d664e5808c1ccc5d7e335d3f6fe

SHA256
d22af6595a12474313f3e4c10300603e57c1cd04d9ebdffee52032a3411d2948

SHA512
49459bc20244d28a2882c6f98de3835bbb25efdaac42888cac0f01dfeca2e2909e447294d9559f9b6c9fa1e4583969d61facd79c0761fd52195f2dc4d3b47bda

Download Submit
C:\Users\Admin\AppData\Roaming\zefatlwjjg.txt

Filesize
91KB

MD5
19d1b98ca53a49b901f056c6da2478d2

SHA1
c94af0fd581ed91814de3f01be03e42e143493dd

SHA256
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

SHA512
ae74c208cf339c2831d9b5574826538f9c48766d7a94ec3632569d06ec0306e271eab539bde4cbeeff632f5c2d043b7b64cb25cf575b67b4fddff60e3adaf198

Download Submit
memory/880-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download
memory/1072-82-0x0000000002130000-0x0000000005130000-memory.dmp

Filesize
48.0MB

Download
memory/1072-83-0x0000000002130000-0x0000000005130000-memory.dmp

Filesize
48.0MB

Download
memory/1724-70-0x0000000002160000-0x0000000005160000-memory.dmp

Filesize
48.0MB

Download