vjw0rm | 5139042abdffe2246bdb46ad71300c9271194697d85741bccaaab4977fa02783

General

Target

2.js
Size

984KB
MD5

23e6dafa419a763923005e18ac40b8b4
SHA1

8e1d466bbf8278d773c30198fd166c8f2cc95134
SHA256

12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA512

9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3
SSDEEP

6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8TSLcNdxzBalYlR:eQ3B7qgpILczr

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 52 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
10	456	wscript.exe
11	584	wscript.exe
12	1776	wscript.exe
13	456	wscript.exe
14	584	wscript.exe
16	1776	wscript.exe
18	456	wscript.exe
20	1776	wscript.exe
22	584	wscript.exe
26	456	wscript.exe
28	584	wscript.exe
30	1776	wscript.exe
31	456	wscript.exe
33	1776	wscript.exe
35	584	wscript.exe
36	456	wscript.exe
39	456	wscript.exe
40	584	wscript.exe
43	1776	wscript.exe
46	456	wscript.exe
48	584	wscript.exe
50	1776	wscript.exe
51	456	wscript.exe
54	584	wscript.exe
56	1776	wscript.exe
57	456	wscript.exe
58	584	wscript.exe
60	1776	wscript.exe
64	456	wscript.exe
66	584	wscript.exe
68	1776	wscript.exe
69	456	wscript.exe
71	456	wscript.exe
72	1776	wscript.exe
74	584	wscript.exe
76	456	wscript.exe
78	584	wscript.exe
79	1776	wscript.exe
83	456	wscript.exe
85	1776	wscript.exe
88	584	wscript.exe
89	456	wscript.exe
91	1776	wscript.exe
93	584	wscript.exe
94	456	wscript.exe
95	456	wscript.exe
98	584	wscript.exe
100	1776	wscript.exe
103	456	wscript.exe
104	584	wscript.exe
106	1776	wscript.exe
108	456	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1304 wrote to memory of 1776	1304	wscript.exe	wscript.exe
PID 1304 wrote to memory of 1776	1304	wscript.exe	wscript.exe
PID 1304 wrote to memory of 1776	1304	wscript.exe	wscript.exe
PID 1304 wrote to memory of 456	1304	wscript.exe	wscript.exe
PID 1304 wrote to memory of 456	1304	wscript.exe	wscript.exe
PID 1304 wrote to memory of 456	1304	wscript.exe	wscript.exe
PID 456 wrote to memory of 584	456	wscript.exe	wscript.exe
PID 456 wrote to memory of 584	456	wscript.exe	wscript.exe
PID 456 wrote to memory of 584	456	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1776

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\2.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2.js
Filesize
984KB

MD5
23e6dafa419a763923005e18ac40b8b4

SHA1
8e1d466bbf8278d773c30198fd166c8f2cc95134

SHA256
12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c

SHA512
9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js
Filesize
984KB

MD5
23e6dafa419a763923005e18ac40b8b4

SHA1
8e1d466bbf8278d773c30198fd166c8f2cc95134

SHA256
12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c

SHA512
9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js
Filesize
346KB

MD5
66dc2636a8030d46088ffea48edca927

SHA1
0b69c990c12f471bae591feff36810bee88dc8be

SHA256
f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e

SHA512
8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

Download Submit
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js
Filesize
346KB

MD5
66dc2636a8030d46088ffea48edca927

SHA1
0b69c990c12f471bae591feff36810bee88dc8be

SHA256
f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e

SHA512
8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

Download Submit
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js
Filesize
346KB

MD5
66dc2636a8030d46088ffea48edca927

SHA1
0b69c990c12f471bae591feff36810bee88dc8be

SHA256
f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e

SHA512
8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

Download Submit
memory/456-56-0x0000000000000000-mapping.dmp

Download
memory/584-58-0x0000000000000000-mapping.dmp

Download
memory/1776-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads