vjw0rm | 830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

General

Target

RFQ SANOVIT.js
Size

5.8MB
MD5

68fe8b2c25d14040c66447c5c79a9ada
SHA1

cad211509ce75af931879b13af4f97d1e550f427
SHA256

830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6
SHA512

8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f
SSDEEP

24576:KDlDx+TAMOOb5biMkVXTFQRkdgMdsrot/ycPMP4qavnS8CQD+52/UBT6twHHeV1E:X

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

flow	pid	Process
15	840	wscript.exe
18	4856	wscript.exe
19	2152	wscript.exe
28	4856	wscript.exe
31	840	wscript.exe
35	2152	wscript.exe
50	4856	wscript.exe
51	840	wscript.exe
52	2152	wscript.exe
58	4856	wscript.exe
62	840	wscript.exe
63	2152	wscript.exe
70	4856	wscript.exe
71	840	wscript.exe
72	2152	wscript.exe
76	4856	wscript.exe
84	840	wscript.exe
85	2152	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ SANOVIT.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ SANOVIT.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJYnpdFdIs.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ SANOVIT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ SANOVIT.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 840	3184	wscript.exe	86
PID 3184 wrote to memory of 840	3184	wscript.exe	86
PID 3184 wrote to memory of 4856	3184	wscript.exe	87
PID 3184 wrote to memory of 4856	3184	wscript.exe	87
PID 4856 wrote to memory of 2152	4856	wscript.exe	90
PID 4856 wrote to memory of 2152	4856	wscript.exe	90

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ SANOVIT.js"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:840
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\KJYnpdFdIs.js

Filesize
346KB

MD5
f512b9328455558e518c93d453b7d6e0

SHA1
bf5cf55fae037e024ac2a29497094b4c1e3a8b87

SHA256
16d47f03cbf0fff0bef5ff6437179c8b480021abffa9663faa302a3d4a978392

SHA512
c41ea1aee8636a4b49a9cce99f77c2ac4f5cc7b7494957beb0579f3370a6268330185ce889c028cfeb557ff3d4922d0370f788bf5104f02cfe8558f65ea1f82d

Download Submit
C:\Users\Admin\AppData\Roaming\RFQ SANOVIT.js

Filesize
5.8MB

MD5
68fe8b2c25d14040c66447c5c79a9ada

SHA1
cad211509ce75af931879b13af4f97d1e550f427

SHA256
830229964e0a12a468c5d3c0578a5e4e782c2ae7bcc240d7bf6f82a373ae08c6

SHA512
8649ec2b2a41fca46cff2f6acb3a159eabbc7dcfacf858990b3f092618b706af9265299be2d650b9c39f46843bdb90539861e61a2cfef8778f7cca4a4567c84f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads