vjw0rm | f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d

General

Target

SPI MARINE1.js
Size

1.3MB
MD5

9ada0e7d8b3fd0b3b5509e961f8f69cb
SHA1

109f9a3ee9975fb1535b929a259de4c6de8a26a2
SHA256

f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d
SHA512

3ef03e77c5f6b18c820773ae839cb74dbba1c24f5b0409bf304002dcb77360a52bdffafdc65a62a5782d7e4944cfaff75441527648b0d53c393c9a327659fc08
SSDEEP

24576:D6TEbroV1XoNqO52U8efYc/UmTU1TVEcH51NW6:WAIrA52UpTK9G6

Score

10^/10

vjw0rm collection spyware stealer trojan worm

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.agritrader.net.ve
Port:
587
Username:
[email protected]
Password:
f=hq-Jgicgp3

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

flow	pid	Process
5	1112	wscript.exe
12	1112	wscript.exe
13	1112	wscript.exe
15	1112	wscript.exe
17	1112	wscript.exe
18	1112	wscript.exe
20	1112	wscript.exe
21	1112	wscript.exe
22	1112	wscript.exe
24	1112	wscript.exe
25	1112	wscript.exe
26	1112	wscript.exe
28	1112	wscript.exe
29	1112	wscript.exe
30	1112	wscript.exe
32	1112	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	Payload-1.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Payload-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Payload-1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	Payload-1.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1112	1096	wscript.exe	26
PID 1096 wrote to memory of 1112	1096	wscript.exe	26
PID 1096 wrote to memory of 1112	1096	wscript.exe	26
PID 1096 wrote to memory of 1620	1096	wscript.exe	27
PID 1096 wrote to memory of 1620	1096	wscript.exe	27
PID 1096 wrote to memory of 1620	1096	wscript.exe	27
PID 1096 wrote to memory of 1620	1096	wscript.exe	27

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload-1.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

Filesize
751KB

MD5
5d69b96143f57d5a20e3e118308005b6

SHA1
01f8350a1cb668c1b023d7c5e28b55d5d4e18d07

SHA256
666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed

SHA512
7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

Filesize
751KB

MD5
5d69b96143f57d5a20e3e118308005b6

SHA1
01f8350a1cb668c1b023d7c5e28b55d5d4e18d07

SHA256
666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed

SHA512
7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

Download Submit
C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js

Filesize
16KB

MD5
c3ac7171af4f9c6564c944b0c43e11c3

SHA1
17199bac943ab82cf4d97bc4a6d2a262121138d5

SHA256
5a56274341805f7b17c4dc8435b1d5ecec97f60c3555228c1c12decae4503de4

SHA512
0505e21e0bef9d3c75c3ceb0bc2272d3e3aaf41c2b0600ac981218e8251ef9ae49f3ff2d7128c326bec02343f4471362789a30235ea7fa09bd9e53b7eb8ae200

Download Submit
memory/1096-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1620-61-0x0000000000DB0000-0x0000000000E72000-memory.dmp

Filesize
776KB

Download
memory/1620-62-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1620-63-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1620-64-0x0000000008220000-0x00000000082D2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing