vjw0rm | 9e08b5396987899e20119e6baa726653c3e03c85772e5f07a71b586338d6e110

Analysis

max time kernel
153s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67fbad40453a19402d1989cfd18c769c.js
Size

31KB
MD5

67fbad40453a19402d1989cfd18c769c
SHA1

a6a7980d2200573fa05bd4d00b3bd73445fad99a
SHA256

9e08b5396987899e20119e6baa726653c3e03c85772e5f07a71b586338d6e110
SHA512

0df4845e96ca72aa227f11215fc7a340eab5dc687954d86d963e5ef3149a7991582b0626aa5657773e7a15ce0898a71b411726eb6ee585a53aa71b301c58472d
SSDEEP

768:M4h4XJXAT93bYgqpUbUGguXjEVwGRIwo3lq0+eOhX:o5wxEgqpUbPgvV5s+eiX

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	1168	wscript.exe
47	1168	wscript.exe
56	1168	wscript.exe
74	1168	wscript.exe
79	1168	wscript.exe
88	1168	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uLBxnntOnW.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uLBxnntOnW.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67fbad40453a19402d1989cfd18c769c.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67fbad40453a19402d1989cfd18c769c.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\uLBxnntOnW.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4516	1168	wscript.exe	88
PID 1168 wrote to memory of 4516	1168	wscript.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\67fbad40453a19402d1989cfd18c769c.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uLBxnntOnW.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uLBxnntOnW.js

Filesize
10KB

MD5
4384461e0d76c05ce635c8ec2e462501

SHA1
c060bc7c9661dc6d43abae5cd3a2ff966cc7716c

SHA256
be21d9aba93c26c4c40c177e7fd3ce5c6b99f89a5e797a9cf030b3e25faa9ac5

SHA512
313ef13aff7176a92e30b5362db402c7f531558b6820c3dd805d6e5f10186b0ddd94c18b835462727c0e9690b096c8ea8fc87ad262e116b30ac83ea9dee9ae62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads