vjw0rm | 76c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a

General

Target

vjworm.js
Size

47KB
MD5

4d4480b2a363d66f2647d10d978c085a
SHA1

3f9d64be86691d734d8d7018ff0436b615e7effc
SHA256

76c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a
SHA512

3425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b
SSDEEP

768:8tZ8oMh8ycJrJWRJpBWefOydp5pb5aNs9SVY4D3HaTvICf99EWrWExBSSLtLG:8tZ8o28yKrJ+HWQOydp5pb5aNs90Y4DP

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 21 IoCs

flow	pid	Process
7	972	wscript.exe
17	972	wscript.exe
24	972	wscript.exe
28	972	wscript.exe
34	972	wscript.exe
40	972	wscript.exe
43	972	wscript.exe
49	972	wscript.exe
51	972	wscript.exe
56	972	wscript.exe
58	972	wscript.exe
60	972	wscript.exe
62	972	wscript.exe
66	972	wscript.exe
68	972	wscript.exe
70	972	wscript.exe
72	972	wscript.exe
74	972	wscript.exe
76	972	wscript.exe
78	972	wscript.exe
80	972	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjworm.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjworm.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4244	4976	wscript.exe	83
PID 4976 wrote to memory of 4244	4976	wscript.exe	83
PID 4976 wrote to memory of 972	4976	wscript.exe	84
PID 4976 wrote to memory of 972	4976	wscript.exe	84
PID 972 wrote to memory of 544	972	wscript.exe	85
PID 972 wrote to memory of 544	972	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\vjworm.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NEFneLogGT.js"
  2⤵
  - Drops startup file
  PID:4244
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\vjworm.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NEFneLogGT.js"
    3⤵
    - Drops startup file
    PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js

Filesize
8KB

MD5
f835554d0a082a0f29fceb25ca077d3a

SHA1
3da72690ae950602516c471e6732810d484c9c4c

SHA256
8fda4f0487b7a6c80ae2d524ab571f0819b229e9b453b0aa91ea67fdbffbcfb7

SHA512
271a7870d427deeeebab5c04de4a39d071571ffeabb32b7fa8539c0f7269548a76c6a0973a49b951db3792bed59ad97a51584914a042324d46db43fe342479b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjworm.js

Filesize
47KB

MD5
4d4480b2a363d66f2647d10d978c085a

SHA1
3f9d64be86691d734d8d7018ff0436b615e7effc

SHA256
76c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a

SHA512
3425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjworm.js

Filesize
47KB

MD5
4d4480b2a363d66f2647d10d978c085a

SHA1
3f9d64be86691d734d8d7018ff0436b615e7effc

SHA256
76c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a

SHA512
3425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b

Download Submit
C:\Users\Admin\AppData\Roaming\NEFneLogGT.js

Filesize
8KB

MD5
f835554d0a082a0f29fceb25ca077d3a

SHA1
3da72690ae950602516c471e6732810d484c9c4c

SHA256
8fda4f0487b7a6c80ae2d524ab571f0819b229e9b453b0aa91ea67fdbffbcfb7

SHA512
271a7870d427deeeebab5c04de4a39d071571ffeabb32b7fa8539c0f7269548a76c6a0973a49b951db3792bed59ad97a51584914a042324d46db43fe342479b1

Download Submit
C:\Users\Admin\AppData\Roaming\NEFneLogGT.js

Filesize
8KB

MD5
f835554d0a082a0f29fceb25ca077d3a

SHA1
3da72690ae950602516c471e6732810d484c9c4c

SHA256
8fda4f0487b7a6c80ae2d524ab571f0819b229e9b453b0aa91ea67fdbffbcfb7

SHA512
271a7870d427deeeebab5c04de4a39d071571ffeabb32b7fa8539c0f7269548a76c6a0973a49b951db3792bed59ad97a51584914a042324d46db43fe342479b1

Download Submit
C:\Users\Admin\AppData\Roaming\vjworm.js

Filesize
47KB

MD5
4d4480b2a363d66f2647d10d978c085a

SHA1
3f9d64be86691d734d8d7018ff0436b615e7effc

SHA256
76c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a

SHA512
3425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b

Download Submit

Analysis

Sharing