vjw0rm | da60503512af869134e5698522fd48d794e650e0749feaf07d120b17f4cccd73

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 06:09

Target

6c8cb6d8a307774cdd5229cae0a74fa2.js
Size

15KB
MD5

6c8cb6d8a307774cdd5229cae0a74fa2
SHA1

1dae1ca15bdc9eb2d3250f45b612d852c7caefda
SHA256

da60503512af869134e5698522fd48d794e650e0749feaf07d120b17f4cccd73
SHA512

a494e3240297489819f209c86a98361b27174e853fec3eff9d6959ad8a10efdc6c5f956d668349c8b4a46d3ac1a48fd89426e7e36de33eca74902047d89aca4d
SSDEEP

384:s4ws20zJwYx/HaeXI5wRYVShCGO5WJFHuBUlxa:sR0l7o5+8GJJ/Y

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 16 IoCs

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c8cb6d8a307774cdd5229cae0a74fa2.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P7EKOWB6GH = "\"C:\\ProgramData\\6c8cb6d8a307774cdd5229cae0a74fa2.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2644	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2644	2908	wscript.exe	89
PID 2908 wrote to memory of 2644	2908	wscript.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\6c8cb6d8a307774cdd5229cae0a74fa2.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\6c8cb6d8a307774cdd5229cae0a74fa2.js
  2⤵
  - Creates scheduled task(s)
  PID:2644