vjw0rm | 6344a3f801d7d74fa018782788ec3ec845cf91bc3a84ac5b56002d2648a4cac0

General

Target

d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60.js
Size

3.3MB
MD5

0d0b1fc606201ddbf74b4833e08994b3
SHA1

177895061db3b2264b72bd57b96e707e7a3e50b8
SHA256

d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60
SHA512

45fef7799272fc8606a50c7f75c280a121beb92119f11c00db6155c8b084ae69635c0201fdd96fa0398e33b43f30333767940a75bd5fb88908fb4050160f37b6
SSDEEP

24576:pJSd1V8/DH6mBy0ayVbGw9GZ0dKEMRs1Ayq+cISRxQCNj+4AX:ntbNX

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

17 4488 WScript.exe
35 4488 WScript.exe
47 4488 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation wscript.exe

flow	pid	process
17	4488	WScript.exe
35	4488	WScript.exe
47	4488	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FAklApsLii.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FAklApsLii.js	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3260 wrote to memory of 4488	3260	wscript.exe	WScript.exe
PID 3260 wrote to memory of 4488	3260	wscript.exe	WScript.exe
PID 3260 wrote to memory of 4896	3260	wscript.exe	javaw.exe
PID 3260 wrote to memory of 4896	3260	wscript.exe	javaw.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FAklApsLii.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4488

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jsfhaxb.txt"
2⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FAklApsLii.js
Filesize
346KB

MD5
504251620320ddd73e04fd077598f06b

SHA1
ed16dd17a1b3fd621083999e1697ac8d7d4e196a

SHA256
5fc4c580b97320b95dae37a9ee422735eb39b660a890d41f1631369f3f477f23

SHA512
69f290c8af09736666189ba80a4147dcaf9da793ece50a9a7523e9a27c011f8773971e2687cddc6c04b8d54a15fabdca80d9de63e62a00a4a4de26b9d2ca1157

Download Submit
C:\Users\Admin\AppData\Roaming\jsfhaxb.txt
Filesize
209KB

MD5
5908fc19ceb339ac7559095bc462e625

SHA1
c7d780b9524c732e26112d81a067a8fa664e805c

SHA256
255f2eeceeca9b1f4075e8a90a6f2ee46032ce60947b6ab612eaf347d5ae987e

SHA512
f3710dc3a78f6af0f59f78aa20f681816a50e2f7a5ccf7783e62c232476e7afe7cedffceb58df6e19a32f1282c79251fa54cadbf9a45509ec90e0cabf490ad82

Download Submit
memory/4896-150-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-159-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-166-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-173-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-201-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-204-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-205-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-208-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-209-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-212-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-214-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-215-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-220-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-227-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-229-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-230-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-234-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-235-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-236-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-237-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-239-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4896-238-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing