vjw0rm | be642fbf0a49582e7fee104a7d8dad9eebd11e3ec175256a8a6c86b7fe93bb0c

General

Target

d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js
Size

4.5MB
MD5

9cf2c793029ae8dd84a387ba66e8c432
SHA1

48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10
SHA256

d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9
SHA512

33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848
SSDEEP

24576:8NLb0+2xYFsLoDw9svltZ7r55HNYYkY4WOxbZQCgvRo5PD1rMLSeGU0pOlBY9Pcw:3ueQa

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 7 IoCs

flow	pid	Process
15	1404	wscript.exe
17	1404	wscript.exe
38	1404	wscript.exe
48	1404	wscript.exe
59	1404	wscript.exe
71	1404	wscript.exe
75	1404	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4936	4112	wscript.exe	83
PID 4112 wrote to memory of 4936	4112	wscript.exe	83
PID 4112 wrote to memory of 1404	4112	wscript.exe	84
PID 4112 wrote to memory of 1404	4112	wscript.exe	84
PID 1404 wrote to memory of 4392	1404	wscript.exe	87
PID 1404 wrote to memory of 4392	1404	wscript.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js"
  2⤵
  - Drops startup file
  PID:4936
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js"
    3⤵
    - Drops startup file
    PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js

Filesize
4.5MB

MD5
9cf2c793029ae8dd84a387ba66e8c432

SHA1
48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10

SHA256
d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9

SHA512
33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js

Filesize
4.5MB

MD5
9cf2c793029ae8dd84a387ba66e8c432

SHA1
48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10

SHA256
d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9

SHA512
33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js

Filesize
346KB

MD5
0fbcb6f83b0f64e57835d021bb6e917d

SHA1
0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38

SHA256
c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466

SHA512
70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f

Download Submit
C:\Users\Admin\AppData\Roaming\d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9.js

Filesize
4.5MB

MD5
9cf2c793029ae8dd84a387ba66e8c432

SHA1
48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10

SHA256
d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9

SHA512
33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848

Download Submit
C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js

Filesize
346KB

MD5
0fbcb6f83b0f64e57835d021bb6e917d

SHA1
0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38

SHA256
c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466

SHA512
70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f

Download Submit
C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js

Filesize
346KB

MD5
0fbcb6f83b0f64e57835d021bb6e917d

SHA1
0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38

SHA256
c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466

SHA512
70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f

Download Submit

Analysis

Sharing