vjw0rm | c956e252ffa7148f6c075e639297ab2df080920edc53e28021f3156827249ae6

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2023 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proforma Invoice 3001855006.js
Size

48KB
MD5

c64b396e9cb42b2234a3bbce8728de92
SHA1

71c018361c833fb31b8160059f95516fdaed5e2d
SHA256

c956e252ffa7148f6c075e639297ab2df080920edc53e28021f3156827249ae6
SHA512

b64c3b866497325c49dcb6c11987cf7bb0e55439d792fa8c520b97b8ebcb4d8f6d24d3715acfaeb4b51f8275c835959e81741bf928baa97804f351ad98f7501e
SSDEEP

1536:Ub5m/DuD+CWJbBG7MPI7MMdHl8aFzMKhKyM+anvJKa5YYUfMFfqUagMlGeMqmN34:Ub1uBAMPI7MMdHl8aFzMKhKyM+anvJKz

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exe

flow pid process

7 4380 wscript.exe
14 4380 wscript.exe
25 4380 wscript.exe
33 4380 wscript.exe
36 4380 wscript.exe
41 4380 wscript.exe
45 4380 wscript.exe

flow	pid	process
7	4380	wscript.exe
14	4380	wscript.exe
25	4380	wscript.exe
33	4380	wscript.exe
36	4380	wscript.exe
41	4380	wscript.exe
45	4380	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4888 wrote to memory of 4380	4888	wscript.exe	wscript.exe
PID 4888 wrote to memory of 4380	4888	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 3001855006.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js
Filesize
18KB

MD5
135ed79b9eea21fa24a2517885b8745b

SHA1
17ce07b47b0fa1212f30f3879850ec5e7625fbb0

SHA256
9feca465d427fa36019bf8e1ce0cbb6f18646d1c4f76b81b5f832bc063447257

SHA512
3d1b80e4aa41c0cdeba5c2885f333db7d1e7afdf83015f1100ab1e1c9e198673da1ab33f500b85e07c7e50cd99acceef1ee8dcb64cf0443693a4aae80cadc0c3

Download Submit
memory/4380-132-0x0000000000000000-mapping.dmp

Download