vjw0rm | 6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/01/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT RECEIPT.js
Size

48KB
MD5

167d5b5849b0b9c3e79a89b7f71cdfb5
SHA1

d4a1d6d229ffc5b5a6238a1925cbe0d43a669452
SHA256

6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5
SHA512

9d125807d89de88106dfb204cc358b38032ae985f89e71fb31107397183295bd1a53b823c7486167f5fd8f1b811c3068cfc4623f13cbe5a7ae3d814025e3e6ee
SSDEEP

1536:Uba3a2jbwbtJbBGyMuI7MMdHl8aFzMKhKyM+anvJKa5YYUfMFfqUagMlGeMqmN3w:Ub7rBBMuI7MMdHl8aFzMKhKyM+anvJKL

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

flow	pid	Process
4	952	wscript.exe
5	952	wscript.exe
6	952	wscript.exe
8	952	wscript.exe
10	952	wscript.exe
11	952	wscript.exe
13	952	wscript.exe
14	952	wscript.exe
15	952	wscript.exe
17	952	wscript.exe
18	952	wscript.exe
19	952	wscript.exe
21	952	wscript.exe
22	952	wscript.exe
23	952	wscript.exe
25	952	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 952	1684	wscript.exe	27
PID 1684 wrote to memory of 952	1684	wscript.exe	27
PID 1684 wrote to memory of 952	1684	wscript.exe	27

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VpdWufezad.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VpdWufezad.js

Filesize
18KB

MD5
29b7dfa182095ac131dc0fe29ac1114f

SHA1
da5c6968d5c0c93ec8c5c03d6beb846a18f88514

SHA256
182dc31a957357b8f8e6417ff1559ee2d1fe28b4e63a934ca377b3f3805aa479

SHA512
743c692da089edd96c205d62c27fdbe94c4e1b99e275227cb3ce5905a07cf882542425cce20774ac389b2b045270ec0faa4139066ad3f8b100711ca1358c192c

Download Submit
memory/952-56-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download