vjw0rm | 0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

Analysis

max time kernel
150s
max time network
172s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js
Size

1.9MB
MD5

f51aee23c560560ae8bddb813dbc69fc
SHA1

fc26a039ed4f48b957463d6dd20bc5c903337268
SHA256

0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1
SHA512

8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397
SSDEEP

12288:TCbvguAMWCPI7nreA07d7x3zqAEiQ3sm0YrYTdmEKGcrtHg2qTecw+z2Om:Qgu37tqAEiQcmGTrKG6t3qTRJm

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 61 IoCs

flow	pid	Process
4	2740	wscript.exe
8	2540	wscript.exe
9	3056	wscript.exe
11	3056	wscript.exe
14	3056	wscript.exe
16	2540	wscript.exe
17	2740	wscript.exe
18	3056	wscript.exe
21	2740	wscript.exe
23	2540	wscript.exe
26	3056	wscript.exe
28	3056	wscript.exe
30	2540	wscript.exe
32	2740	wscript.exe
33	3056	wscript.exe
37	2540	wscript.exe
38	2740	wscript.exe
39	3056	wscript.exe
42	2540	wscript.exe
43	2740	wscript.exe
46	3056	wscript.exe
48	3056	wscript.exe
51	2540	wscript.exe
52	2740	wscript.exe
54	3056	wscript.exe
56	2540	wscript.exe
58	2740	wscript.exe
59	3056	wscript.exe
61	2540	wscript.exe
63	2740	wscript.exe
67	3056	wscript.exe
69	3056	wscript.exe
72	2540	wscript.exe
73	2740	wscript.exe
74	3056	wscript.exe
76	2540	wscript.exe
78	2740	wscript.exe
79	3056	wscript.exe
82	2540	wscript.exe
84	2740	wscript.exe
86	3056	wscript.exe
90	3056	wscript.exe
91	2540	wscript.exe
93	2740	wscript.exe
94	3056	wscript.exe
98	2540	wscript.exe
99	2740	wscript.exe
100	3056	wscript.exe
103	2540	wscript.exe
104	2740	wscript.exe
105	3056	wscript.exe
109	3056	wscript.exe
111	2540	wscript.exe
114	2740	wscript.exe
115	3056	wscript.exe
117	2540	wscript.exe
119	2740	wscript.exe
120	3056	wscript.exe
122	2540	wscript.exe
124	2740	wscript.exe
126	3056	wscript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2740	1660	wscript.exe	28
PID 1660 wrote to memory of 2740	1660	wscript.exe	28
PID 1660 wrote to memory of 2740	1660	wscript.exe	28
PID 1660 wrote to memory of 3056	1660	wscript.exe	29
PID 1660 wrote to memory of 3056	1660	wscript.exe	29
PID 1660 wrote to memory of 3056	1660	wscript.exe	29
PID 3056 wrote to memory of 2540	3056	wscript.exe	31
PID 3056 wrote to memory of 2540	3056	wscript.exe	31
PID 3056 wrote to memory of 2540	3056	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2740
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js

Filesize
1.9MB

MD5
f51aee23c560560ae8bddb813dbc69fc

SHA1
fc26a039ed4f48b957463d6dd20bc5c903337268

SHA256
0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

SHA512
8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit