vjw0rm | fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a88c19299c8fd2e3bf299798a6a322.js
Size

200KB
MD5

63a88c19299c8fd2e3bf299798a6a322
SHA1

7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
SHA256

fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
SHA512

3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3
SSDEEP

3072:9uhE0m9+ACB9epP1nu+CcFztpcUodQ4kq98YJDkBPrspGQidJHlkg:loAm9ezu+Ci5pcUoNkpkkJeo/Fkg

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3008	2816	wscript.exe	28
PID 2816 wrote to memory of 3008	2816	wscript.exe	28
PID 2816 wrote to memory of 3008	2816	wscript.exe	28
PID 2816 wrote to memory of 2820	2816	wscript.exe	30
PID 2816 wrote to memory of 2820	2816	wscript.exe	30
PID 2816 wrote to memory of 2820	2816	wscript.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\63a88c19299c8fd2e3bf299798a6a322.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3008
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\exoorvjljt.txt"
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\exoorvjljt.txt

Filesize
24KB

MD5
3ad560a2f04677b4c9535d7647ca2365

SHA1
dcaf8c056c502c98274f308a5ae7e4e4827e1196

SHA256
960c149cea9566cb179f818ab20b495e8a5aba4fd8f4c576da40ed2f0ae1682b

SHA512
a96b5f687b614f45ca470202ebeadd415f25955773655c1f2db540907b42611f7fad975fe8cd569177b87d29775510b4e23dd975f72ad1cc512d210bad368c87

Download Submit
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js

Filesize
9KB

MD5
12bdb4d35045ca79f03c7ab66fa2a4d0

SHA1
fa1942411e165ec654f437f026b0e2e8028fa1fd

SHA256
9114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a

SHA512
9ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9

Download Submit
memory/2820-10-0x0000000002700000-0x0000000005700000-memory.dmp

Filesize
48.0MB

Download
memory/2820-17-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2820-24-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2820-35-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2820-36-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2820-40-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2820-41-0x0000000002700000-0x0000000005700000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads