vjw0rm | 0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2023, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js
Size

1.9MB
MD5

f51aee23c560560ae8bddb813dbc69fc
SHA1

fc26a039ed4f48b957463d6dd20bc5c903337268
SHA256

0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1
SHA512

8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397
SSDEEP

12288:TCbvguAMWCPI7nreA07d7x3zqAEiQ3sm0YrYTdmEKGcrtHg2qTecw+z2Om:Qgu37tqAEiQcmGTrKG6t3qTRJm

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 54 IoCs

flow	pid	Process
8	4904	wscript.exe
10	2432	wscript.exe
11	4440	wscript.exe
13	4440	wscript.exe
21	4440	wscript.exe
22	4904	wscript.exe
23	2432	wscript.exe
31	4440	wscript.exe
37	4904	wscript.exe
38	2432	wscript.exe
40	4440	wscript.exe
46	2432	wscript.exe
47	4904	wscript.exe
52	4440	wscript.exe
56	4440	wscript.exe
57	4904	wscript.exe
58	2432	wscript.exe
59	4440	wscript.exe
60	4904	wscript.exe
61	2432	wscript.exe
62	4440	wscript.exe
63	4904	wscript.exe
64	2432	wscript.exe
65	4440	wscript.exe
66	4440	wscript.exe
67	4904	wscript.exe
68	2432	wscript.exe
69	4440	wscript.exe
70	2432	wscript.exe
71	4904	wscript.exe
72	4440	wscript.exe
73	2432	wscript.exe
74	4904	wscript.exe
75	4440	wscript.exe
76	4440	wscript.exe
77	4904	wscript.exe
78	2432	wscript.exe
79	4440	wscript.exe
80	4904	wscript.exe
81	2432	wscript.exe
82	4440	wscript.exe
83	4904	wscript.exe
84	2432	wscript.exe
85	4440	wscript.exe
86	4440	wscript.exe
87	4904	wscript.exe
88	2432	wscript.exe
89	4440	wscript.exe
90	4904	wscript.exe
91	2432	wscript.exe
95	4440	wscript.exe
97	4904	wscript.exe
98	2432	wscript.exe
100	4440	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4904	2636	wscript.exe	82
PID 2636 wrote to memory of 4904	2636	wscript.exe	82
PID 2636 wrote to memory of 4440	2636	wscript.exe	83
PID 2636 wrote to memory of 4440	2636	wscript.exe	83
PID 4440 wrote to memory of 2432	4440	wscript.exe	85
PID 4440 wrote to memory of 2432	4440	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4904
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\NEAS.NEASNEAS0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1jsunknownunknown_JC.js

Filesize
1.9MB

MD5
f51aee23c560560ae8bddb813dbc69fc

SHA1
fc26a039ed4f48b957463d6dd20bc5c903337268

SHA256
0c3ecc4baf3fc3a1dcc446a8f979fcf61a0d4ef1cfd4cb84c99cb7f3b3e170c1

SHA512
8dae74f8f0959cb2901e8fd5b8b185150c658e0a908c56e6687fb8d009c2a5332aa6fd46947f1a6442672f237737772d2d7f9a43a313664ec2a64e35edc70397

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit
C:\Users\Admin\AppData\Roaming\qKrzFkDbDL.js

Filesize
613KB

MD5
1c8210d134d60efc0eda69128e2325bf

SHA1
3dced753dfd807b3ca8eb936f2017b0b67700571

SHA256
8f1443328f070cbc35ba8ce9e98852b5db1e738e57b59af928d4d1f34c437c01

SHA512
36f5996a6311de5054c757ea8aaf7317b93458da3fc9a6b5afe05e7b8a58a8b7254ed77d84121728a50375bf0c18e12347ff96540b1556f72c3109de9e54148c

Download Submit