vjw0rm | ec6bacab189b6eb6ed566e0c49a6a41b3c01c28145051e733b578318060ad881

General

Target

2837de7c12b43967fa14a8593245cb26.exe
Size

3.9MB
MD5

2837de7c12b43967fa14a8593245cb26
SHA1

46b5a0ea0571f5b0c543949cca006937f378ce18
SHA256

ec6bacab189b6eb6ed566e0c49a6a41b3c01c28145051e733b578318060ad881
SHA512

96a8f33cb279a0b1f5ac0c1475ffcad5d67b420a1b87e8965677dca96d48f305d335ed2626618fb0f52049d211ef0be9ab30665d49bc34c34d4082e2b26c15a1
SSDEEP

98304:2bwHted1N2mcuVkch0CoSvmQAlXF6GN/Asr3/OWtvvv:2kNO/rkczoSeffL/z3/OCv

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
15	428	WScript.exe
37	428	WScript.exe
40	428	WScript.exe
48	428	WScript.exe
61	428	WScript.exe
136	428	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2837de7c12b43967fa14a8593245cb26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	setup.exe

Loads dropped DLL 7 IoCs

pid	Process
2572	setup.exe
2572	setup.exe
2572	setup.exe
2572	setup.exe
2572	setup.exe
2572	setup.exe
2572	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V5RI1KLY0A = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\info.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x000c000000023161-16.dat	nsis_installer_1
behavioral2/files/0x000c000000023161-16.dat	nsis_installer_2
behavioral2/files/0x000c000000023161-15.dat	nsis_installer_1
behavioral2/files/0x000c000000023161-15.dat	nsis_installer_2
behavioral2/files/0x000c000000023161-8.dat	nsis_installer_1
behavioral2/files/0x000c000000023161-8.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4468	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	2837de7c12b43967fa14a8593245cb26.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 428	972	2837de7c12b43967fa14a8593245cb26.exe	24
PID 972 wrote to memory of 428	972	2837de7c12b43967fa14a8593245cb26.exe	24
PID 972 wrote to memory of 428	972	2837de7c12b43967fa14a8593245cb26.exe	24
PID 972 wrote to memory of 2572	972	2837de7c12b43967fa14a8593245cb26.exe	25
PID 972 wrote to memory of 2572	972	2837de7c12b43967fa14a8593245cb26.exe	25
PID 972 wrote to memory of 2572	972	2837de7c12b43967fa14a8593245cb26.exe	25
PID 428 wrote to memory of 4468	428	WScript.exe	28
PID 428 wrote to memory of 4468	428	WScript.exe	28
PID 428 wrote to memory of 4468	428	WScript.exe	28

C:\Users\Admin\AppData\Local\Temp\2837de7c12b43967fa14a8593245cb26.exe
"C:\Users\Admin\AppData\Local\Temp\2837de7c12b43967fa14a8593245cb26.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Anydesk /tr "C:\Users\Admin\AppData\Local\Temp\info.js
    3⤵
    - Creates scheduled task(s)
    PID:4468
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.js

Filesize
36KB

MD5
f41480f6f0858cdabe2ceea3e0020041

SHA1
83dd98a7de70dc21f39a52e6ed27b9f6c85fd6bd

SHA256
83286f93ec6cdf32c96e9f8e5466d5ff24ac240db67a42e6da99b79dccf90eab

SHA512
8427357325ea628e3447741304844fb307b3e1910b6d68bd83198610f6078f81b0fe46144e197d3c2732e26045b31020348e1ab27c0b16b5f331a1648a573ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
92KB

MD5
ea7b04ffe92c457bbf1f84e0670fd3ed

SHA1
2b4a6cdaa8177c032ea1a196158cc14cb943e6bd

SHA256
4dd2d2bcc08ab245cabbdd1760e1f6dbbf3975f62a633a2fd25ef6528870bb66

SHA512
a822d2ca575ea182e5cae9d09f437e5b9f7f0889ff2bc23a209bcfa77b7d1220776dfe658a20cb403ebfedd50073ee20b81fb889472807f03462a306a61fa1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
384KB

MD5
1b76d03f97c29c46adda5446838e7b91

SHA1
2f99930201e36ee27856b1404c2b938c9948ba52

SHA256
711f1f5f4ba177482b99eac79f97dae950bd9d98afe67ef699692db9adf8e7ed

SHA512
4d2768455791018debcb5d52eb9fdb9b1a7d3a0225399cb14cc9ca1fbcc5c0f4cf29502e3e76d4ecb3b04d10c9f66da904c9fa22d28eb2cf0e9e7764178d151b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads