vjw0rm | 6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT RECEIPT.js
Size

48KB
MD5

167d5b5849b0b9c3e79a89b7f71cdfb5
SHA1

d4a1d6d229ffc5b5a6238a1925cbe0d43a669452
SHA256

6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5
SHA512

9d125807d89de88106dfb204cc358b38032ae985f89e71fb31107397183295bd1a53b823c7486167f5fd8f1b811c3068cfc4623f13cbe5a7ae3d814025e3e6ee
SSDEEP

1536:Uba3a2jbwbtJbBGyMuI7MMdHl8aFzMKhKyM+anvJKa5YYUfMFfqUagMlGeMqmN3w:Ub7rBBMuI7MMdHl8aFzMKhKyM+anvJKL

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 12 IoCs

flow	pid	Process
8	4224	wscript.exe
9	4224	wscript.exe
25	4224	wscript.exe
42	4224	wscript.exe
43	4224	wscript.exe
49	4224	wscript.exe
50	4224	wscript.exe
53	4224	wscript.exe
54	4224	wscript.exe
55	4224	wscript.exe
56	4224	wscript.exe
57	4224	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4224	1300	wscript.exe	80
PID 1300 wrote to memory of 4224	1300	wscript.exe	80

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VpdWufezad.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VpdWufezad.js

Filesize
18KB

MD5
29b7dfa182095ac131dc0fe29ac1114f

SHA1
da5c6968d5c0c93ec8c5c03d6beb846a18f88514

SHA256
182dc31a957357b8f8e6417ff1559ee2d1fe28b4e63a934ca377b3f3805aa479

SHA512
743c692da089edd96c205d62c27fdbe94c4e1b99e275227cb3ce5905a07cf882542425cce20774ac389b2b045270ec0faa4139066ad3f8b100711ca1358c192c

Download Submit