vjw0rm | 0a19ba2af0a2c3b6bdb5c7265439185093c1f6e8128338b7d566e3a15cc8b193

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-02-2023 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a19ba2af0a2c3b6bdb5c7265439185093c1f6e8128338b7d566e3a15cc8b193.js
Size

3.3MB
MD5

31ab51d7763f4f5ad28694ed48facfd3
SHA1

a30f977582468ee7cb1857e126dfef4ea741c661
SHA256

0a19ba2af0a2c3b6bdb5c7265439185093c1f6e8128338b7d566e3a15cc8b193
SHA512

f25fd376bf29b214bf3442a1abbed58c0d39f82cf9fbd6e101ea54f37c73784a896a3d13794ab3c383977856c76fd75d79059bfe9db646ed85a31fe0b9a21c05
SSDEEP

6144:RAAAlAAAR2AAADAAAAPOAAAqAAAJAAA6NAAAs6HAAAWAAAAAJK3AAAA0eAAAA1AX:UByMBLiHMuSYL

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 14 IoCs

flow	pid	Process
4	1068	WScript.exe
6	1068	WScript.exe
7	1068	WScript.exe
9	1068	WScript.exe
10	1068	WScript.exe
11	1068	WScript.exe
13	1068	WScript.exe
14	1068	WScript.exe
15	1068	WScript.exe
17	1068	WScript.exe
18	1068	WScript.exe
19	1068	WScript.exe
21	1068	WScript.exe
22	1068	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kQiFcryrxG.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kQiFcryrxG.js	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1068	1468	wscript.exe	28
PID 1468 wrote to memory of 1068	1468	wscript.exe	28
PID 1468 wrote to memory of 1068	1468	wscript.exe	28
PID 1468 wrote to memory of 1880	1468	wscript.exe	29
PID 1468 wrote to memory of 1880	1468	wscript.exe	29
PID 1468 wrote to memory of 1880	1468	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0a19ba2af0a2c3b6bdb5c7265439185093c1f6e8128338b7d566e3a15cc8b193.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kQiFcryrxG.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1068
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\gwjolorz.txt"
  2⤵
  PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gwjolorz.txt

Filesize
92KB

MD5
5be85a3513d520cd33a708502e4bdd78

SHA1
e131478d034daf8a7df28348dd30e7190d006d8d

SHA256
6805731c669fe4543a3db4fe7c318876f99f136a161068686368d98be9614118

SHA512
04186ca1113192f683677fd8f423ddfc51b20fd00459a5d504f1a10cb05d9d64faa16ecde6579a1ae865f84a3452493690fe1bc9fc9e7b324b01b1cd9330d43b

Download Submit
C:\Users\Admin\AppData\Roaming\kQiFcryrxG.js

Filesize
1.1MB

MD5
8de8e9446f86c2eca38bb30cd90639fc

SHA1
890ddc33be02f0cd3b39c0477e1d7a3658ee1dcb

SHA256
28a3d48dfb36a05c5699f8482c7b5e933535a9fb58ae1600e33cddd9a606473c

SHA512
9006ccf1fe4f795a4575d1c61bba08a97b94700d6596b9ec3e9b2ae3e069201621175a96d4a5a432c0cfb49c6cf5136677ef08116821ad34e93a26752836c0ef

Download Submit
memory/1468-54-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/1880-67-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/1880-71-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download