vjw0rm | 23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbda

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2023, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paid_invoice1.js
Size

3KB
MD5

2ef952eeb1e0caf443dfee9cbf97f086
SHA1

6226e9e1319a33c523e4634d64478cfef9bf2084
SHA256

23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbda
SHA512

72970f2e32009d4973eac334c2955f0ad185d6b7b670a1767e63440bae51c47bb040a9615cfae5d9d92f689a714098e58a77a7661a8a0b9316a7eceec27ce8a3

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

http://jsgrouplimited.duckdns.org:9614

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4996	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\paid_invoice1.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\paid_invoice1.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LCB3CVF1ON = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\paid_invoice1.js\""	wscript.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A82417F4-9EE4-4ACD-8669-1E193C014FE9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4696	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4696	4996	wscript.exe	82
PID 4996 wrote to memory of 4696	4996	wscript.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\paid_invoice1.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\paid_invoice1.js
  2⤵
  - Creates scheduled task(s)
  PID:4696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuE927.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
334bee4e8b3045a47599198a629016f0

SHA1
7cb146aa04ef504ca958128ea3c5339f5e3e2c3a

SHA256
83603d606c9146970b68d89f51764bf8a43e9b6e931464ae2ccc13f1152cb53e

SHA512
473f5a45561d16ca08e5707d37df97da5dc31993cb1bd157a4ef0b18032677809e4d096cf937f6731b1c5eb393d846f89dd82c6915123c9dae56c7e9c278d5e5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
bd1e3310bede07b6e3009242271e650d

SHA1
7ba35981fbe5623919bab26805e2e04af87413bb

SHA256
bb376a6e03ba84116595905f5ab3f2ed93575bae055087a3297712a7cf5c72fc

SHA512
8fbcd4262ec14f1a6d4356205a2012f6255aa2236a4701630a64213d9a8fd8946e283d5eeac278c8b8c54a940dff7422cd92a661eb719ebc70b716e8f25c56d0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
836c681fd68dca9afae833ab6d1e517a

SHA1
f135752ad7d3a4c120b6624be5398601a73b5dae

SHA256
ff2975ecd8a91be09de5e9565613359b099335009d84de5a0a7ae37575e73fce

SHA512
f4ccceaa743c330565e2ed9882fc5805d4f6df105e86031a0bd21e830957cc94396f746ad09c6697828207ce43463ecc01b11bb56132de11f9b3b9e713e59626

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f4b4cda30b9584adfa0012471e63f797

SHA1
1cbb588fb21f13782239c5e48605d0defe560578

SHA256
68e16b0767c0aefaf444835486b72e1b6f6525b61ee5afe45180a0aa5541b91e

SHA512
2108b4d95c473d5482873ce2a56edd8f75a94e0b28ce753f52cd27282cd6530432a2605e3c4836dd89d1b8c84a9f6ca3d9c4832bca2ff6ab7e43ad7c634ed45b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
8df1d518f3af6d99752cc33e8f6f34b6

SHA1
06771a8ab6bc18522ea66a5063af7add6ac95ccb

SHA256
552f5aec7864f63e3db9104fe69513b2ed15a23059d355929b396c2c81a7331f

SHA512
4f8a376ac4198f1604dbef914507cf01d8c00ec3ef1ea54db3e8be7d6cc042dc457a89db5224d4f84e6784059ede3d8bc88a66fd55e527c91c6234162f4a213e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
63d8f28c33e63d96296fdbe8edc98367

SHA1
8447733586fed1e3da3dab3aed68d1262eb314bc

SHA256
8667054c76997fb3ce60a905080c358de27183b44a16a3b1d234dff7d9e12252

SHA512
b25ba3a04a15e800f159199f4178fcc8fceb80ea5a343e244032723c459f58497d115e62ab6bc7bf9bfbde0a3e90f2dbaec08ca54772b7084bf42dcefeead31a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c768fc2606963d47a0d3fd4d1a30eb50

SHA1
81a8e3f862d06f9acc2ac0f63bfc4ca7b9926830

SHA256
3e402a8fc152c65e4b8171a82fd900a1f709d83ac5d5fc2b574231a7455d7e86

SHA512
3548821af0a6cc1658b24b7deed2a499885758010fd60dbbee968f3ec84e71ab1f41bd9dfbdc6372406b3ffb15d3c8af7f9f55d916ac8e7cbac4e6b2a37b8f9d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
61c1845ca381b06c7e2f564e16c153bd

SHA1
1f336e6349e711aaeee67961fc6eda333b5c6495

SHA256
182c1acdf0b198be98c8a86bc7db03ae8bdcfb0b45126f358ea79f9216a57146

SHA512
e2960db0b0c03a3f6a1697d125be7173df9ae90ea61443cd4bf35dfa9c0add5edf403c8f604701a27e4cc1e78485965f7cd2f3ac3c6363123948722c50ccb363

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
bc9cc5be04c074a46720e1f10e876176

SHA1
8df561fdc1ae0b7941ab6b26efced2f8f3f6b8fb

SHA256
2c477a2913b9dc565520d1660e52a167b8b49c1804094e525aa98f44b0b41694

SHA512
d76ad9eb6366d477888bc4a2612d6c1fe7a1c6eba34746ff719c0ccbeec9aa02b5fe2864bbe965aea6dabf48bb6eca3205238f0cb4c1ad3708454262dcc48374

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
03604b788b373e2e096666da17c94309

SHA1
ed69a15888ec61ff1beded798016ad6678d5f99d

SHA256
efebde9c1534f9c848653b651b25595942f26bfe7ab26777af939ccc0690dd5c

SHA512
c8b9f25a336bbfe45a3076ab9fec17c9f2ee707985c2465b4f3cbc73460cb3804f70fe876d428d9d7feede58d03b326cc713dfb470c69659b5c17f1f518dbf08

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
714acb26878a31955c71d1137fe9f04a

SHA1
f3cfb955e2d987505a0e279019a45863526f81cf

SHA256
9bdcc3e629b6b15efeda92303064cffbb479c885756abeddb877329eb9566bcf

SHA512
ae9f5902684a9616ebccc7129392ebe9dbe1f44463762e4fe2870e94927f536b040b8038fb69ce1f1aeb766c5626c36cecc5749ced5671c3b7bf789496fce5d3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
d45c79366fe8ad979d4a587a575f04ea

SHA1
20246bc3e39e37434bfdcd3cb1bf58db25d4f134

SHA256
04bebf4a5e7495172ca04a1fbfc3d98fb3bd267655152e61cd019d6189a9daba

SHA512
7cedf608607259ee3300bbcf894247228765cd2892eb8e8e60ee915dc2e12b8790d70f6ebbb2fcbf6e3161d273a24e8db413af6913448b5b051dd57390fb703e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
6f88e55eca0f926a2477fb354b878fe2

SHA1
15ecf2a0390c008527bb9e609c5ba4caa15f4bf8

SHA256
4d0d4d36eee1f1f932446959f0bb5a1314785f1f8adc0105e6d3219f36ae1e3c

SHA512
0e09d0c992cd4f36d4f12984abacdb3dd285c2b602bc56d925d8c60b6eba440444ae7309da62c4d827c615217fe40f22376268ab4ac186c940df545d661de6c8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
d4fffb84143f7a6fd23cf64c1a1339fc

SHA1
c0e89c66328ed2fa7eec13be1fae61cf8c3caa95

SHA256
f5f06ab6a5b9916ab3e54fb5c59bdd5cefbd7f6764c7437272487b3940751195

SHA512
d424fb7ae80de9ea9b87648a5a23c7d9ffb80b193be0c6d50ce8d8a6e3ea3d0c7862329e56d1ea906ae1711391a19a61ea204e05c7e058ee5f7926279d245c1e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
9065c83e24436851e59eec82ae022ef4

SHA1
32542ceac11ca361f8b1164bc6258fed01bf5fe6

SHA256
1072859b1e4c190acbca138bcc3bf6b24344c0efe5e31f4af5384c557fcf8099

SHA512
7b4305af07d57ef82547fab74f2d395f0c81a58a438f14e898b30827e4610f0e0184e34993e0c21e1da73950a0c1959e71053fa9144fb6ba91f6e1c959970370

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
8f2d274018f59a1fb795ae567e73bab8

SHA1
651dbc5129060a862ae9eec6c4af89644d2169ff

SHA256
cc9efab51104a9cac3571838a1cdad8904a2eed22a0292738e915ae42956faa0

SHA512
4d9d0b6413d66fb6f6cfdc3e6f9d08ed9b92be7a9259a593bbb09f1dd014fb74ac1f31833e612748349426fae4ac4bff4b40a10b15a952388f5430531732b37c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f999d09ba785d2dc655cae004b6cc402

SHA1
f1cb6a1e40bbe92e1de21577a58717db5b7b66b6

SHA256
baa301d85e9751f3138e9845674042930dceb9c3c0941c0596c734943eefec2d

SHA512
2c348b13bbc6cf947bde63d52a7aaf751d1c19e5052bc03bdb498d22409139c667ee8d550361e76c55b3f4f5ffb66f3fe8147c95d29aa0fac071d2b9b3cbbf54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
5f559b870cae23bc6446ba891c40c15a

SHA1
103dd43df1056150fca95d04ce0afebc33d5fc40

SHA256
e87f49645e572b81f42d510973cb7a6abc561bf4be82e2847cd7439f8dedaa08

SHA512
efc19dcfec828a1fd2fffa9898191fce44188b80fdf39c4620f469044bd098649d0c61c62cc6c3c3126ceeebc13797ca9372be10469f7fa8e3e2bc959cb7db7d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
759f230334fbc0e2e6d70cb868e5a3b9

SHA1
ae8ff7f0a36be8dbea5d5580ba038105e76282d0

SHA256
140d83992b6672705f0ffce7745c95c4205794dc719b7074393ba078577bbad8

SHA512
66ddef30ec98aefcaab1db4c802f95bb47a35809041519025daab2d1ac50fddeaf7c2746f6726ab084f692676578fef4adfeb6e31333cd541a1b8c48b3592b35

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
af8c81e250bafc7cf7b4d1b58ca0a6ce

SHA1
4cdde5c0207ee5835c3a3d274c213787d70d1d72

SHA256
48b4822adc0428f7868689b6c77c5b9bd61bb15abe59996fe270ea6f9a4c4f4d

SHA512
523f695a0683a93d0b85cc327c79c82e526af4ca639c3fd30309227955c2bdd4fcffa2deeecb720f6b8eb33b99059f05354492e39730e80c2dadd8996785e925

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
fe29e072df779669935ab0ab7662fdee

SHA1
a9c64e463f435d7612539f1769262a2428a66f62

SHA256
3b650dc837e9c5dade4338643015c351e9a84ce730a03d046f804e2b4bdd6742

SHA512
4ceba11594ff149416360feff19ab46397722ff0d3b63a98894f42b4116d9a6ab9cc33f5b1cf7cfb8b86ea4034a1e51049bd7fa95c5ca0d61699af7947f83106

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
ba8b3b7702e4753683a9bdbacceebd1b

SHA1
bc117ba5e93be0d35bfdd6ff3913c0db76cf53fc

SHA256
958cc3ee6c571b211033fbd1f8a792b343a92f515d9179dbcfe83d3c7023789a

SHA512
20580d6c5b89b23951d41b77bb20e92280c2b7e14e3f7d038b17f7ce79998a297ae035cb16e2ce3cf3e9a1d4bf7f986dfb9b43251dff820e3abcea5f395f6269

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
4321876edcbc55fb620c67bd5765d262

SHA1
28882f36b3aefa11d25d1663e91fbeec70cfd2e8

SHA256
bc6071a829252516be12ef59f0a453ec0df058271ede4841c7fdedf3e2871467

SHA512
b9ffac752a2fdedefe76f0854d341bfc6b9dcbc64054b31092da5f9fa728411d0a5ef83a29c00c4dcd3fb7a4b27ff588183afca7a08bbda17fa2dac00323957b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
6b967953c7a3cb123db64c91b023bbbc

SHA1
9b8af677f72f4866355d8b859a046ad2bdb1210c

SHA256
b4cb0ffd54c19058f563e126c571052168702278884e33fa1c34e421d30374b4

SHA512
2a717311287c68aef18dc760acd20bcac5af407939b33014175c91eae3191a17b993abd43ba2512933329a99fb06cfac7b64ef3397a8322635c80bcf45ece96e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
503bce24a1deaeb6402a64b313881a8e

SHA1
12bb202780fb91c6d2680f74af6efd19f55cc347

SHA256
cf0707e10f4ebb1bc5771d612d16d96a6709b7d8b62f8d83ef2a4f1c392cbc32

SHA512
c5774ab873c4b2f542c6e176c8d3462410455b5caad57dd08f923bbe12b2fb9c938b88ca2a1a6a671d4043b1821b830146af580d3e7cc3b55e3a238d038fc0b2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
2fe8456d39cb4871cc8186be9108346f

SHA1
c2f884bf4ee6dc139681ecffa340dc63cdf07a31

SHA256
37450c56914d6d365c3f297b213906e0506aaa7bb620a008a7624699dfc2cd4a

SHA512
aca9e1cad7aeefb39f070509488899e4fa5508abd8ce660d4b6ef3f27e85c72011cf9144d33bbb0915b94666cbd9e05842464c4623f18a34b97e6e7e065d4308

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
6aee67c136e178835ca7491b56337990

SHA1
51c54f9a478ed752b64e6d08955a0da195381785

SHA256
e7d4646a9856e4eb3362111f326c1f0e549b49ff66b0e3cd13a3a0f16c5216ca

SHA512
214a02b035b7a4b676873ad4fc02c1aff6f85dec510e82b2a3ea16e4b01896b8244c98fb8c298d3c96b5125be4ccbfc4ca02d9b71f97dd8df2c2db23446dd18e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
ecb483521ca5d5bb0521d95b700421cb

SHA1
4234ee8b5d0007239f311fce8e9c6853afe84bfc

SHA256
3477590b3de7e1fd7a4a6b5ec7e38484c8e6e16e218f3a095879545fe9b41fab

SHA512
849652fe853c70b93b8216849d23539bedcc6b194bcf5b3b8d3ea47cc2f44fd3803a862d013ce39586d05f0c543f1d615c7a4eeb1fff0081f9583a12312c9e0d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads