vjw0rm | ec6bacab189b6eb6ed566e0c49a6a41b3c01c28145051e733b578318060ad881

General

Target

2837de7c12b43967fa14a8593245cb26.exe
Size

3.9MB
MD5

2837de7c12b43967fa14a8593245cb26
SHA1

46b5a0ea0571f5b0c543949cca006937f378ce18
SHA256

ec6bacab189b6eb6ed566e0c49a6a41b3c01c28145051e733b578318060ad881
SHA512

96a8f33cb279a0b1f5ac0c1475ffcad5d67b420a1b87e8965677dca96d48f305d335ed2626618fb0f52049d211ef0be9ab30665d49bc34c34d4082e2b26c15a1
SSDEEP

98304:2bwHted1N2mcuVkch0CoSvmQAlXF6GN/Asr3/OWtvvv:2kNO/rkczoSeffL/z3/OCv

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2192	WScript.exe
6	2192	WScript.exe
7	2192	WScript.exe
9	2192	WScript.exe
10	2192	WScript.exe
11	2192	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	setup.exe

Loads dropped DLL 12 IoCs

pid	Process
948	2837de7c12b43967fa14a8593245cb26.exe
948	2837de7c12b43967fa14a8593245cb26.exe
948	2837de7c12b43967fa14a8593245cb26.exe
948	2837de7c12b43967fa14a8593245cb26.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\V5RI1KLY0A = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\info.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000d0000000122f0-8.dat	nsis_installer_1
behavioral1/files/0x000d0000000122f0-8.dat	nsis_installer_2
behavioral1/files/0x000d0000000122f0-15.dat	nsis_installer_1
behavioral1/files/0x000d0000000122f0-15.dat	nsis_installer_2
behavioral1/files/0x000d0000000122f0-12.dat	nsis_installer_1
behavioral1/files/0x000d0000000122f0-12.dat	nsis_installer_2
behavioral1/files/0x000d0000000122f0-10.dat	nsis_installer_1
behavioral1/files/0x000d0000000122f0-10.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2468	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2192	948	2837de7c12b43967fa14a8593245cb26.exe	17
PID 948 wrote to memory of 2192	948	2837de7c12b43967fa14a8593245cb26.exe	17
PID 948 wrote to memory of 2192	948	2837de7c12b43967fa14a8593245cb26.exe	17
PID 948 wrote to memory of 2192	948	2837de7c12b43967fa14a8593245cb26.exe	17
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 948 wrote to memory of 1716	948	2837de7c12b43967fa14a8593245cb26.exe	21
PID 2192 wrote to memory of 2468	2192	WScript.exe	19
PID 2192 wrote to memory of 2468	2192	WScript.exe	19
PID 2192 wrote to memory of 2468	2192	WScript.exe	19
PID 2192 wrote to memory of 2468	2192	WScript.exe	19

C:\Users\Admin\AppData\Local\Temp\2837de7c12b43967fa14a8593245cb26.exe
"C:\Users\Admin\AppData\Local\Temp\2837de7c12b43967fa14a8593245cb26.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Anydesk /tr "C:\Users\Admin\AppData\Local\Temp\info.js
    3⤵
    - Creates scheduled task(s)
    PID:2468
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.js

Filesize
36KB

MD5
f41480f6f0858cdabe2ceea3e0020041

SHA1
83dd98a7de70dc21f39a52e6ed27b9f6c85fd6bd

SHA256
83286f93ec6cdf32c96e9f8e5466d5ff24ac240db67a42e6da99b79dccf90eab

SHA512
8427357325ea628e3447741304844fb307b3e1910b6d68bd83198610f6078f81b0fe46144e197d3c2732e26045b31020348e1ab27c0b16b5f331a1648a573ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
382KB

MD5
e999d42b182125ef82b4e426dcc1c34b

SHA1
eba63f961a8b07d5ef27176d24988c680dff5b34

SHA256
027b3c04baa455bc6475b0185f74fd7efe06b3d7af7858f213ad5acfa68adea6

SHA512
c4c6d75f4368cfbe190ee18926f2e0f28949a4036f2e62c10ad4906f753302343da2a67309be21594d9ee6c74f1264bf17eaa2236e791465a8926d2515cc4ddb

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
93KB

MD5
077a263f46d528e907912526d46679ca

SHA1
583f7faaa4fe4c18b2be16d843205eb0ce8d36fe

SHA256
6d4147e90f62adc99a4f9f1517ba95205c628eb97ee1c979500c84d07589f99a

SHA512
33ba5049c35cf0c8877854a96dc9cc660b8c80ef5dfc63c701dbb0729bffea63e24b8ccbc217891b36a7cd671f0eb3625c251c0b1b6b310e941ce28367d92a78

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
92KB

MD5
ae43e77de5336da04bdcc02ed577beea

SHA1
22ebb94df707c5df0a7411821994a982a0913bea

SHA256
1a8f93cafb9269a06ac3126e1d22b8cc8b8053bd085de23e1bf65bdc6000d32b

SHA512
6aec10d991f4cf1aaefa242812d8fe405ccc7fe404bf46381a56097c24be24c11ed8aa6cf99d84155ea03933ecec7911830dd36c094e210d1839d36203859e59

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads