vjw0rm | 87d6eb8714fe79b95f2f74649cd2fef28e9d57e4c4e990d7ac0f0f6281b978f8

Analysis

max time kernel
0s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8722654a1ef8fcfebf490bce2492392.js
Size

207KB
MD5

b8722654a1ef8fcfebf490bce2492392
SHA1

7669dfc5f9bf91b3231fe30cb052adeb60e5f749
SHA256

87d6eb8714fe79b95f2f74649cd2fef28e9d57e4c4e990d7ac0f0f6281b978f8
SHA512

2ceff57cdf708ebe9c4b3735589045730178bf9914bcebef478c5ec8fa14fcd879c71c5543c7b90faff71f70ed477f1376e070785e2d3bbe52f11397aaec1846
SSDEEP

3072:n3zn7Ok2Cw2jnNqAQ6rJBBjQ/+E8L+dE/6QXqU3OTBc0JF7mn+CtY6K1LmvjIPdB:z7Fng6FBBcpgC2FZ3AD7mn+v6ALkEdqO

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\DGjEIUIodz.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1920	2888	wscript.exe	18
PID 2888 wrote to memory of 1920	2888	wscript.exe	18
PID 2888 wrote to memory of 1920	2888	wscript.exe	18
PID 2888 wrote to memory of 2516	2888	wscript.exe	17
PID 2888 wrote to memory of 2516	2888	wscript.exe	17
PID 2888 wrote to memory of 2516	2888	wscript.exe	17

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\b8722654a1ef8fcfebf490bce2492392.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ggzvqba.txt"
  2⤵
  PID:2516
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DGjEIUIodz.js"
  2⤵
  - Adds Run key to start application
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DGjEIUIodz.js

Filesize
10KB

MD5
f38989cc8aaa486a1d20937d3364715c

SHA1
33dd1be185eba1eb4a6c52182c3df3f53ca6e9a5

SHA256
e582d7660be65f8dcfc39688ea515022baaa734b5fb336e7f2a1e4e19071b4d5

SHA512
c619a61774708eb36cf96b634221dad4d72f0fc5f820866508b0540415ee436b9fcb7779795d7a8f7096f68296e41088d650134c1b67f3a77105a31f9026ed0a

Download Submit
C:\Users\Admin\AppData\Roaming\ggzvqba.txt

Filesize
87KB

MD5
3b18ee6d3799e72d9503facf2a595a8d

SHA1
a90aab5699cc2f94832c8fff1e2cbfa259c0f3f6

SHA256
92ebef4b9ddd46abbc41a446ace8a5409dded5191817f824d12b65837e4d75c8

SHA512
94243112a6147a63632c8ccd2a6ba80ba81704fb736d08c6256cd36060fc919389b95f590f8c5229fa36e383bfb93148727b46b8efca7047cbac654141191dc1

Download Submit
memory/2516-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-10-0x00000000026D0000-0x00000000056D0000-memory.dmp

Filesize
48.0MB

Download
memory/2516-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-40-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-47-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-63-0x00000000026D0000-0x00000000056D0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads