vjw0rm | e6a1e467986946fec245767752bfdb0b627488834769bc4ea18cfe5416ca97c8

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-05-2023 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shipment_details.js
Size

4.2MB
MD5

fa2dccbcd1a13b5ed4a37cfe2f6bd98e
SHA1

e9bfca02fe3610209e4d978706fb0ffa708c23de
SHA256

e6a1e467986946fec245767752bfdb0b627488834769bc4ea18cfe5416ca97c8
SHA512

d7fff2cb89edf7ec8d7e8e3c87c339a0d89b9ce90245985f27bcbd59c2cfb27dfb9e757fe5cae6b33728def4221ef1e2a7bca8876be36dd3d54ae86db5837ff8
SSDEEP

24576:DLXDS1oAQLfjv/dcBBEKURJFxCl4V0lZ3LUua5qTV/+GuPII+yo6gcuXoHmGt7SA:KgPFV5

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2004	WScript.exe
6	2004	WScript.exe
7	2004	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GveCwylsAy.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GveCwylsAy.js	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2004	2024	wscript.exe	28
PID 2024 wrote to memory of 2004	2024	wscript.exe	28
PID 2024 wrote to memory of 2004	2024	wscript.exe	28
PID 2024 wrote to memory of 1400	2024	wscript.exe	29
PID 2024 wrote to memory of 1400	2024	wscript.exe	29
PID 2024 wrote to memory of 1400	2024	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\shipment_details.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\GveCwylsAy.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2004
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zlaznmuwp.txt"
  2⤵
  PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GveCwylsAy.js

Filesize
346KB

MD5
7b9709a9153ac4cb215f16fdf60be200

SHA1
0883c7965e51ecfd6a947b9bfd6b423f121196db

SHA256
f44886cb49e3a9ba393eff0736521cd8c8e54ebc91502e866bd702d9308d7e50

SHA512
c482c760a396fea1c1707fcee39f43d58fd8731f4c91a18a355659e63656cae67b5ba41a07cef932c09e0564d7022739cdf53fd3821cda2d0e774f4a2b584f02

Download Submit
C:\Users\Admin\AppData\Roaming\zlaznmuwp.txt

Filesize
92KB

MD5
d03e147aa64697d957d39b1c641fad7f

SHA1
ba541702a1e4a8a05c72c613f466ff06dc268a5f

SHA256
0bce2dcb90b837d4d30ed36842d76d0e87cc548497eccac7c650efa3e650fedc

SHA512
50f1bb4bbacb25e79c9f80b6c9a6766865d8e682bebf162fe84f208f3f2dc2487daf08bda5072866848641f6b1f600968614e2dcbcb628d32fbb1467422dd04f

Download Submit
memory/1400-70-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download