vjw0rm | 3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2023 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE.PDF.js
Size

2.7MB
MD5

42a42d7b66691e3fff3e691d70703ce5
SHA1

9e57f573570d068b964c84b5d7cdbf1fb010e3d9
SHA256

3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
SHA512

bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
SSDEEP

24576:ydSySTD8C4AeGIfkZP5Xog8NWtQVNmxE/imwx+pBUqyO57ZPUm:nnuLh

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 39 IoCs

flow	pid	Process
13	1328	wscript.exe
14	220	wscript.exe
16	2228	wscript.exe
19	2228	wscript.exe
21	1328	wscript.exe
28	220	wscript.exe
29	1328	wscript.exe
30	220	wscript.exe
37	1328	wscript.exe
41	2228	wscript.exe
42	220	wscript.exe
43	1328	wscript.exe
46	220	wscript.exe
49	1328	wscript.exe
51	220	wscript.exe
52	2228	wscript.exe
53	1328	wscript.exe
55	220	wscript.exe
56	1328	wscript.exe
57	220	wscript.exe
58	1328	wscript.exe
59	220	wscript.exe
60	2228	wscript.exe
61	1328	wscript.exe
62	220	wscript.exe
63	1328	wscript.exe
64	220	wscript.exe
65	1328	wscript.exe
66	220	wscript.exe
67	2228	wscript.exe
68	1328	wscript.exe
69	220	wscript.exe
70	1328	wscript.exe
71	220	wscript.exe
72	1328	wscript.exe
73	220	wscript.exe
74	2228	wscript.exe
75	1328	wscript.exe
76	220	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INVOICE.PDF.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INVOICE.PDF.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INVOICE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\INVOICE.PDF.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INVOICE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\INVOICE.PDF.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INVOICE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\INVOICE.PDF.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INVOICE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\INVOICE.PDF.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1328	4924	wscript.exe	84
PID 4924 wrote to memory of 1328	4924	wscript.exe	84
PID 4924 wrote to memory of 2228	4924	wscript.exe	85
PID 4924 wrote to memory of 2228	4924	wscript.exe	85
PID 2228 wrote to memory of 220	2228	wscript.exe	88
PID 2228 wrote to memory of 220	2228	wscript.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE.PDF.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QziJnhNNpM.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1328
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\INVOICE.PDF.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QziJnhNNpM.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\INVOICE.PDF.js

Filesize
2.7MB

MD5
42a42d7b66691e3fff3e691d70703ce5

SHA1
9e57f573570d068b964c84b5d7cdbf1fb010e3d9

SHA256
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb

SHA512
bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INVOICE.PDF.js

Filesize
2.7MB

MD5
42a42d7b66691e3fff3e691d70703ce5

SHA1
9e57f573570d068b964c84b5d7cdbf1fb010e3d9

SHA256
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb

SHA512
bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INVOICE.PDF.js

Filesize
2.7MB

MD5
42a42d7b66691e3fff3e691d70703ce5

SHA1
9e57f573570d068b964c84b5d7cdbf1fb010e3d9

SHA256
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb

SHA512
bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js

Filesize
346KB

MD5
c92fd5c5868d3b5074bdafb4d00bdcc0

SHA1
e5b37d03eaffa0abd95fee227dbc8430d44897d2

SHA256
d97f4e5a8d586a62c824a0a351fa35084a22718cc958897d559625cabc067967

SHA512
580fea0230467e4b88d92aac86fcc187e6f1689020f9045080cb9f2481f69c83055e2bb69c3e4e2b5354b8380c81b1aa33dcfbad29a5f898e1ac79c3ea444aab

Download Submit
C:\Users\Admin\AppData\Roaming\QziJnhNNpM.js

Filesize
346KB

MD5
c92fd5c5868d3b5074bdafb4d00bdcc0

SHA1
e5b37d03eaffa0abd95fee227dbc8430d44897d2

SHA256
d97f4e5a8d586a62c824a0a351fa35084a22718cc958897d559625cabc067967

SHA512
580fea0230467e4b88d92aac86fcc187e6f1689020f9045080cb9f2481f69c83055e2bb69c3e4e2b5354b8380c81b1aa33dcfbad29a5f898e1ac79c3ea444aab

Download Submit
C:\Users\Admin\AppData\Roaming\QziJnhNNpM.js

Filesize
346KB

MD5
c92fd5c5868d3b5074bdafb4d00bdcc0

SHA1
e5b37d03eaffa0abd95fee227dbc8430d44897d2

SHA256
d97f4e5a8d586a62c824a0a351fa35084a22718cc958897d559625cabc067967

SHA512
580fea0230467e4b88d92aac86fcc187e6f1689020f9045080cb9f2481f69c83055e2bb69c3e4e2b5354b8380c81b1aa33dcfbad29a5f898e1ac79c3ea444aab

Download Submit