vjw0rm | f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d

General

Target

SPI MARINE1.js
Size

1.3MB
MD5

9ada0e7d8b3fd0b3b5509e961f8f69cb
SHA1

109f9a3ee9975fb1535b929a259de4c6de8a26a2
SHA256

f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d
SHA512

3ef03e77c5f6b18c820773ae839cb74dbba1c24f5b0409bf304002dcb77360a52bdffafdc65a62a5782d7e4944cfaff75441527648b0d53c393c9a327659fc08
SSDEEP

24576:D6TEbroV1XoNqO52U8efYc/UmTU1TVEcH51NW6:WAIrA52UpTK9G6

Score

10^/10

vjw0rm collection spyware stealer trojan worm

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.agritrader.net.ve
Port:
587
Username:
[email protected]
Password:
f=hq-Jgicgp3

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

flow	pid	Process
9	4508	wscript.exe
43	4508	wscript.exe
51	4508	wscript.exe
55	4508	wscript.exe
67	4508	wscript.exe
69	4508	wscript.exe
76	4508	wscript.exe
79	4508	wscript.exe
87	4508	wscript.exe
90	4508	wscript.exe
93	4508	wscript.exe
98	4508	wscript.exe
99	4508	wscript.exe
109	4508	wscript.exe
110	4508	wscript.exe
111	4508	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
632	Payload-1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Payload-1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Payload-1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	Payload-1.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4508	3172	wscript.exe	80
PID 3172 wrote to memory of 4508	3172	wscript.exe	80
PID 3172 wrote to memory of 632	3172	wscript.exe	81
PID 3172 wrote to memory of 632	3172	wscript.exe	81
PID 3172 wrote to memory of 632	3172	wscript.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payload-1.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload-1.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

Filesize
751KB

MD5
5d69b96143f57d5a20e3e118308005b6

SHA1
01f8350a1cb668c1b023d7c5e28b55d5d4e18d07

SHA256
666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed

SHA512
7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

Filesize
751KB

MD5
5d69b96143f57d5a20e3e118308005b6

SHA1
01f8350a1cb668c1b023d7c5e28b55d5d4e18d07

SHA256
666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed

SHA512
7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

Download Submit
C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js

Filesize
16KB

MD5
c3ac7171af4f9c6564c944b0c43e11c3

SHA1
17199bac943ab82cf4d97bc4a6d2a262121138d5

SHA256
5a56274341805f7b17c4dc8435b1d5ecec97f60c3555228c1c12decae4503de4

SHA512
0505e21e0bef9d3c75c3ceb0bc2272d3e3aaf41c2b0600ac981218e8251ef9ae49f3ff2d7128c326bec02343f4471362789a30235ea7fa09bd9e53b7eb8ae200

Download Submit
memory/632-137-0x00000000003C0000-0x0000000000482000-memory.dmp

Filesize
776KB

Download
memory/632-138-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/632-139-0x0000000008800000-0x0000000008822000-memory.dmp

Filesize
136KB

Download
memory/632-140-0x0000000008CC0000-0x0000000008CCA000-memory.dmp

Filesize
40KB

Download
memory/632-141-0x0000000008CF0000-0x0000000008D02000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads