vjw0rm | 3159c56b3356b34ef102b3163864b9be2c73ad0600d283c757bbe68a9b2001e1

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

done.js
Size

3.0MB
MD5

a2b15f7f09bb920f99300225c14be950
SHA1

5afaa8c209fcbaade7c7cfe4a9f031c1c3cfab5a
SHA256

3159c56b3356b34ef102b3163864b9be2c73ad0600d283c757bbe68a9b2001e1
SHA512

8dc9b46f18416f7059bc4bbd3603ded4d5e7e6ac7ff7b0d5a485ec9c38fef572311ac12fef945ae5e6c4b36249c5b7a2653a8fd578997c898cbab3d2b936e9a6
SSDEEP

12288:W6E6Fw4dpkVmV7uVszfjvWaam7o+RRaxl6/ZWi2nn1Dx7DqI8MAwshf5/zeihN5n:9

Score

10^/10

vjw0rm trojan worm

Malware Config

Extracted

Family

vjw0rm

http://84.21.172.33:8895

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
6	1424	wscript.exe
7	904	wscript.exe
9	1424	wscript.exe
11	1424	wscript.exe
15	1424	wscript.exe
16	1424	wscript.exe
19	1424	wscript.exe
22	1424	wscript.exe
23	1424	wscript.exe
25	1424	wscript.exe
28	1424	wscript.exe
31	1424	wscript.exe
33	1424	wscript.exe
36	1424	wscript.exe
38	1424	wscript.exe
39	1424	wscript.exe
42	1424	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1920 schtasks.exe

pid	process
1920	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 904 wrote to memory of 1424	904	wscript.exe	wscript.exe
PID 904 wrote to memory of 1424	904	wscript.exe	wscript.exe
PID 904 wrote to memory of 1424	904	wscript.exe	wscript.exe
PID 904 wrote to memory of 1920	904	wscript.exe	schtasks.exe
PID 904 wrote to memory of 1920	904	wscript.exe	schtasks.exe
PID 904 wrote to memory of 1920	904	wscript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\done.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1424

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\done.js
2⤵
- Creates scheduled task(s)
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js
Filesize
346KB

MD5
4083302483805e12c18b4af0fea38f90

SHA1
39cf040ed83a60b03b589f8fb4a0a7eb4e7ed94a

SHA256
4466a41c5a4186418db1344742285a9c0fa2535b7190993e9b071a273e800800

SHA512
4f8759dec93ff19dc14ae02bea6e8c9592da20569f62e1a34b435d353b3f1f7b19cd02d1296fd9ac75833a5a1dfdcc713c4cbdba0098e85a6ef5ee6544b818fa

Download Submit