vjw0rm | 4dcdeee1e442d12f58dd818e95c31f562d34546c4d61618f7e6322a8c2b5fa0e

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2921078ffa801cc6b1f03e43ecc21969.js
Size

32KB
MD5

2921078ffa801cc6b1f03e43ecc21969
SHA1

906058e1e1ce4d586426ae1ad70d971f3da83a17
SHA256

4dcdeee1e442d12f58dd818e95c31f562d34546c4d61618f7e6322a8c2b5fa0e
SHA512

92cf75cd46faf4b277145bb5a288aa766ba0154a26a7f2def79b33b758847df2a72d7adec103b358a7ef5b09d6a988327c70729903acef394faeea259d99fa35
SSDEEP

768:At0LO4yXv+UWSPb+C6qHOteIy4KUubJ2J01Zalb8Y03l83:Q06+UWDcOteXAJkZalwU

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 7 IoCs

flow	pid	Process
5	2408	wscript.exe
11	2408	wscript.exe
14	2408	wscript.exe
17	2408	wscript.exe
20	2408	wscript.exe
23	2408	wscript.exe
27	2408	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jGYMDjeXbD.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jGYMDjeXbD.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\jGYMDjeXbD.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2744	1132	wscript.exe	28
PID 1132 wrote to memory of 2744	1132	wscript.exe	28
PID 1132 wrote to memory of 2744	1132	wscript.exe	28
PID 1132 wrote to memory of 2408	1132	wscript.exe	29
PID 1132 wrote to memory of 2408	1132	wscript.exe	29
PID 1132 wrote to memory of 2408	1132	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2921078ffa801cc6b1f03e43ecc21969.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2744
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\TN.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TN.vbs

Filesize
2KB

MD5
67d1ef16a441f01f3cdb946fb37c338c

SHA1
85e95317dee6b010143ca8c4ae3e95f4423c8d2b

SHA256
504e732364e1c8430aa692b4a8bfc1b1e72f4fc1bcd478ba9a5f74627a0f409f

SHA512
f5efab36ce98a5473d2e5706751fdf13d29367b5b2b1c40d75ea2f7e687ec5bc0eee9caa3dcee25dafc81f3f84a58ba5be7ce9b8201ba0214945a1beb2e337e3

Download Submit
C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.js

Filesize
10KB

MD5
f44c78ecda070300932b3f777006e1b3

SHA1
fdd5655ded64f931fdabe8d66e2e95cfc49bdff8

SHA256
406662bc108dd5d3b21b23428e2e438696d92195cd08f149ea954eed4a1bc401

SHA512
6cfc61656929ca4a5182b3b086f9b5eefadcf6d5228a53bae8b16b432fd54b9b571213b064d792eaa07a8fb54253e78ec4feb1aabe4ee6b71642a139e08bc0d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads