vjw0rm | 00b6a46542f80c34df42fe3d9e369eb7c39566e902e9ac92238dc90166446a6c

Analysis

max time kernel
14s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2023 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HK SEMI CORPORATION CO,,Ltd.js
Size

4.6MB
MD5

3cbcc574b184d5719059b21b9786bbf0
SHA1

9ed29659b5b54cdf60cf2b9495224aec1a261e67
SHA256

00b6a46542f80c34df42fe3d9e369eb7c39566e902e9ac92238dc90166446a6c
SHA512

68d5c2e058f28c9f1760f40af8fce6b0f786a0ed4aa99cc86df227415c66688e6de1264929d937ed20d111d7551b7ec0944791a5753045ce821167b09ddac9c7
SSDEEP

3072:2GRbdyiMKBDjY086keLyVXiQp7IayQ6Q/27SSi8s2ag6N8TiwzccqhWM307KIiWW:R06HV4dbI+eeHbESp

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 4116 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe

flow	pid	process
6	4116	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrdqnzeXbF.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrdqnzeXbF.js	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 920 wrote to memory of 4116	920	wscript.exe	WScript.exe
PID 920 wrote to memory of 4116	920	wscript.exe	WScript.exe
PID 920 wrote to memory of 3168	920	wscript.exe	javaw.exe
PID 920 wrote to memory of 3168	920	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\HK SEMI CORPORATION CO,,Ltd.js"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\SrdqnzeXbF.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4116

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rjyukyvuwo.txt"
2⤵
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SrdqnzeXbF.js
Filesize
346KB

MD5
4e73d37c3f3e7adab48a636d20e7b4a5

SHA1
b7148b18df8df7e731694043ceb2050e3463f99c

SHA256
7a4ae69336738bf3431e38c7a1abf0190f1f074b13447914cd42604c7174254e

SHA512
6a3565af24a0e8a4a2e046752ea0f1d966013d3e6bc10a755b3f13eb33c63487fef2698217e54f87d2c314d38760fe079004798d1c7b860b1960d75b5798b1b9

Download Submit
C:\Users\Admin\AppData\Roaming\rjyukyvuwo.txt
Filesize
164KB

MD5
da535bbab93f526e10242ab516b0288b

SHA1
d8b7c7075828195a0c63850d226e2b01492536b4

SHA256
9323684aebe7748204540c226f533dc327074e3aa4b238970d9484a1c8abc426

SHA512
0d2025ab35e533d2ca1142006326c1573055560bea5b311fec5ddf129d5bce3be2778264e58bf183ee6fa9ee681cf3c652f20ab3aae789e96cb3796f7ed65af8

Download Submit
memory/3168-134-0x0000000000000000-mapping.dmp

Download
memory/3168-138-0x0000000002B10000-0x0000000003B10000-memory.dmp

Filesize
16.0MB

Download
memory/3168-162-0x0000000002B10000-0x0000000003B10000-memory.dmp

Filesize
16.0MB

Download
memory/3168-169-0x0000000002B10000-0x0000000003B10000-memory.dmp

Filesize
16.0MB

Download
memory/3168-175-0x0000000002B10000-0x0000000003B10000-memory.dmp

Filesize
16.0MB

Download
memory/3168-176-0x0000000002B10000-0x0000000003B10000-memory.dmp

Filesize
16.0MB

Download
memory/4116-132-0x0000000000000000-mapping.dmp

Download