vjw0rm | fe310b776855f95612a6f8633c73df693a8b940bc10b2109e2c51f54be398b85

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40226ee8e5ccd983ec7446b068819477.js
Size

19KB
MD5

40226ee8e5ccd983ec7446b068819477
SHA1

9417c77384776b685a98293d0416646b18dddf01
SHA256

fe310b776855f95612a6f8633c73df693a8b940bc10b2109e2c51f54be398b85
SHA512

c09bdd3943bd724ac4e13fe6d32061cf54b0af7b726b6f777ba5621c57d6876db683a95ef2d7da95052a7284072f48dc8f5fbf0422d00e275c6026c097ab8cd1
SSDEEP

384:P9XmuVESfBOSNSkykjG4KrIXsaxmlItkCmNXBe1KMym/mukFqsnMPcDl4F9:P9X32SZOSI35qXCqsnMPcCF9

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 11 IoCs

flow	pid	Process
28	632	wscript.exe
43	632	wscript.exe
71	632	wscript.exe
83	632	wscript.exe
89	632	wscript.exe
92	632	wscript.exe
99	632	wscript.exe
100	632	wscript.exe
104	632	wscript.exe
105	632	wscript.exe
108	632	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\40226ee8e5ccd983ec7446b068819477.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5092	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 5092	632	wscript.exe	94
PID 632 wrote to memory of 5092	632	wscript.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\40226ee8e5ccd983ec7446b068819477.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\40226ee8e5ccd983ec7446b068819477.js
  2⤵
  - Creates scheduled task(s)
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads