vjw0rm | 947e1f1f0903f66206d335fa3d1774b06305c9f2e3cb12a725e60d12de40d54e

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2023 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHIPPING DOC MBL No - DBA0280069.js
Size

172KB
MD5

d4ea1f6762b4782215754a8061bf0473
SHA1

ceb22743fb1c5aacea84c7fd36bca5f0143d67d5
SHA256

947e1f1f0903f66206d335fa3d1774b06305c9f2e3cb12a725e60d12de40d54e
SHA512

9288d3a09dd476286b9d9aeb2ed191e862a1106bbfcd1345e13ecd7c26c38c6f201ea32bc0a1eab059b5f21f64a9f652e5ac39610ffb58ddb1f2337db80c729e
SSDEEP

3072:3fQZjwOSHmOn624MfIaQ6VAOLI8p7MdMQDE3saiXusMF1bnvzUP7iZFt6ooHMhJn:PMj4xNu/4

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 12 IoCs

Processes:

wscript.exe

flow	pid	process
7	4812	wscript.exe
14	4812	wscript.exe
33	4812	wscript.exe
40	4812	wscript.exe
41	4812	wscript.exe
44	4812	wscript.exe
45	4812	wscript.exe
47	4812	wscript.exe
48	4812	wscript.exe
49	4812	wscript.exe
50	4812	wscript.exe
51	4812	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdRZNzCDhD.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdRZNzCDhD.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1848 wrote to memory of 4812	1848	wscript.exe	wscript.exe
PID 1848 wrote to memory of 4812	1848	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC MBL No - DBA0280069.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\vdRZNzCDhD.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vdRZNzCDhD.js
Filesize
62KB

MD5
684279c92303f5c020fbdfe49148b4b3

SHA1
8dbca5701c2b410a30f65fca299dbcdc85d594a8

SHA256
cd2dbd8e61696334f284b70348ac2cea921ee208d7138cd09d63d85a70ce309d

SHA512
00daff59f643f8f8a8005eb24e6060191b96672ebf380d9e8499aca044d78c95ee759ac9ad30e739080aaa48a9cb232a488cd9054f24bce32d9f636714425ba0

Download Submit
memory/4812-132-0x0000000000000000-mapping.dmp

Download