vjw0rm | a9d56c2aaf9c1885ac43e22fb44a03fd7c5bfb279e085877028f5aae9c898901

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/01/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

629f8999b4ec2a1bc2ae34acb1c13407.js
Size

202KB
MD5

629f8999b4ec2a1bc2ae34acb1c13407
SHA1

ba6f828410418a011505ecc46531f8e41d7c8aa7
SHA256

a9d56c2aaf9c1885ac43e22fb44a03fd7c5bfb279e085877028f5aae9c898901
SHA512

f04832457db6157b6c209af2b12352210b962146f69150316958df28a6765be1109f0fe72123bef3a05f612b6493e84a02a5148f706bf84c982b758c79933b2f
SSDEEP

3072:AVq6TAShnhRrF+Uyd2mfrZcvCU2fRxF/bIJFnrYoQNpUBARmXgjn2yPAvnX7EMv:QTtRrFCdLfSR2f9/egMimGPQnXoMv

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\StbzgazmPv.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2680	2464	wscript.exe	28
PID 2464 wrote to memory of 2680	2464	wscript.exe	28
PID 2464 wrote to memory of 2680	2464	wscript.exe	28
PID 2464 wrote to memory of 2740	2464	wscript.exe	29
PID 2464 wrote to memory of 2740	2464	wscript.exe	29
PID 2464 wrote to memory of 2740	2464	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\629f8999b4ec2a1bc2ae34acb1c13407.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\StbzgazmPv.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2680
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\btcspiyvx.txt"
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\StbzgazmPv.js

Filesize
9KB

MD5
fa19afbc5cae56e8abe0b5f32a84ccf0

SHA1
917e052d1678736ba36b00e21158fc6ac40a87ca

SHA256
c03bf55f0715436228bfb0f1206098fb3c8308e0d0702a1e62d5ca120871666c

SHA512
649641cd45730d9224588946894b0ee0145e32e971eb08c86d28092fbc611be09e5fed696f96e2170b8ae83a3970dadbb8a1c40290ded11127b716aadc97d6b4

Download Submit
C:\Users\Admin\AppData\Roaming\btcspiyvx.txt

Filesize
92KB

MD5
e6530493fa7a2b8c9decd6ff933142f5

SHA1
da2b954fb7a838ead9ff88d1dc15de0348d8415a

SHA256
9c84bb45a54ef6c903b56cf829fecbdeaaadc8ef59cef8077265953aad655756

SHA512
aae36f8c48037dabdc70badd15722c765dc9b349c1a9b41dc8a0ecaa6d95c283f9cfa4bc9e3fc07b60947b7467be85f4b91f053cc6d5d143f5dde4a15fd3994f

Download Submit
memory/2740-10-0x0000000002040000-0x0000000005040000-memory.dmp

Filesize
48.0MB

Download
memory/2740-17-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-24-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-37-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-45-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-62-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-68-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-71-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-76-0x0000000002040000-0x0000000005040000-memory.dmp

Filesize
48.0MB

Download
memory/2740-75-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-81-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2740-82-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads