vjw0rm | 830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

General

Target

RFQ SANOVIT.js
Size

5.8MB
MD5

68fe8b2c25d14040c66447c5c79a9ada
SHA1

cad211509ce75af931879b13af4f97d1e550f427
SHA256

830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6
SHA512

8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f
SSDEEP

24576:KDlDx+TAMOOb5biMkVXTFQRkdgMdsrot/ycPMP4qavnS8CQD+52/UBT6twHHeV1E:X

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 19 IoCs

flow	pid	Process
7	2872	wscript.exe
8	2724	wscript.exe
9	2980	wscript.exe
15	2872	wscript.exe
16	2724	wscript.exe
18	2980	wscript.exe
20	2872	wscript.exe
22	2724	wscript.exe
24	2980	wscript.exe
26	2872	wscript.exe
30	2724	wscript.exe
31	2980	wscript.exe
33	2872	wscript.exe
37	2724	wscript.exe
39	2980	wscript.exe
40	2872	wscript.exe
44	2980	wscript.exe
45	2724	wscript.exe
47	2872	wscript.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ SANOVIT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ SANOVIT.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2724	2260	wscript.exe	28
PID 2260 wrote to memory of 2724	2260	wscript.exe	28
PID 2260 wrote to memory of 2724	2260	wscript.exe	28
PID 2260 wrote to memory of 2872	2260	wscript.exe	29
PID 2260 wrote to memory of 2872	2260	wscript.exe	29
PID 2260 wrote to memory of 2872	2260	wscript.exe	29
PID 2872 wrote to memory of 2980	2872	wscript.exe	31
PID 2872 wrote to memory of 2980	2872	wscript.exe	31
PID 2872 wrote to memory of 2980	2872	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ SANOVIT.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2724
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js

Filesize
346KB

MD5
f512b9328455558e518c93d453b7d6e0

SHA1
bf5cf55fae037e024ac2a29497094b4c1e3a8b87

SHA256
16d47f03cbf0fff0bef5ff6437179c8b480021abffa9663faa302a3d4a978392

SHA512
c41ea1aee8636a4b49a9cce99f77c2ac4f5cc7b7494957beb0579f3370a6268330185ce889c028cfeb557ff3d4922d0370f788bf5104f02cfe8558f65ea1f82d

Download Submit
C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js

Filesize
5.8MB

MD5
68fe8b2c25d14040c66447c5c79a9ada

SHA1
cad211509ce75af931879b13af4f97d1e550f427

SHA256
830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

SHA512
8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads