vjw0rm | 23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbda

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-09-2023 17:33

Target

23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbdajs_JC.js
Size

3KB
MD5

2ef952eeb1e0caf443dfee9cbf97f086
SHA1

6226e9e1319a33c523e4634d64478cfef9bf2084
SHA256

23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbda
SHA512

72970f2e32009d4973eac334c2955f0ad185d6b7b670a1767e63440bae51c47bb040a9615cfae5d9d92f689a714098e58a77a7661a8a0b9316a7eceec27ce8a3

Score

10^/10

Family

vjw0rm

http://jsgrouplimited.duckdns.org:9614

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2000	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbdajs_JC.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbdajs_JC.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\LCB3CVF1ON = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbdajs_JC.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2036	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2036	2000	wscript.exe	29
PID 2000 wrote to memory of 2036	2000	wscript.exe	29
PID 2000 wrote to memory of 2036	2000	wscript.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbdajs_JC.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\23280d742e475a0a00dae2a6ff0686092ccd14f02b292b4be61de7b73b7dcbdajs_JC.js
  2⤵
  - Creates scheduled task(s)
  PID:2036