vjw0rm | 60dc0a8be19240f01faaccb73e6ca2a36eecbacc4dec970da118a5a5a4c0806c

Analysis

max time kernel
132s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-09-2023 10:57

Target

DOC290823-29082023144405.js
Size

27KB
MD5

ca14b59192253392826fc0112c58b5a3
SHA1

3062aa9e1ce73041e15e923b1434bf48b720090a
SHA256

60dc0a8be19240f01faaccb73e6ca2a36eecbacc4dec970da118a5a5a4c0806c
SHA512

15af45eb520ed208fcd16c4e08272d48c52284fc9bf45524f29c1f2686e9649ee4c9ab5492da5240f397fcec9c81edc7c7c62ad668bff0fa938aa45d9cfca4ff
SSDEEP

768:XR51sMQicU8KzTypDxM9GzRdxVvemUZZbthohf9AQ:B51XcUTAtldxBxUzth89AQ

Score

10^/10

Family

vjw0rm

http://severdops.ddns.net:5050

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2404	wscript.exe
6	2404	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOC290823-29082023144405.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\2RJZ4PQJPY = "\"C:\\Users\\Admin\\AppData\\Roaming\\DOC290823-29082023144405.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2620	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2620	2404	wscript.exe	29
PID 2404 wrote to memory of 2620	2404	wscript.exe	29
PID 2404 wrote to memory of 2620	2404	wscript.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DOC290823-29082023144405.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\DOC290823-29082023144405.js
  2⤵
  - Creates scheduled task(s)
  PID:2620