vjw0rm | 59f8cd4a8082917464fa030dbf1bc90f99d12f30fc4ba6cd3723db42ca9b12f7

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 04:38

Target

a0f6fb7fa7c1cfcdbbfc67d307c74083.js
Size

8KB
MD5

a0f6fb7fa7c1cfcdbbfc67d307c74083
SHA1

58341f91d689f92a4a6918437d753deda79ebf4f
SHA256

59f8cd4a8082917464fa030dbf1bc90f99d12f30fc4ba6cd3723db42ca9b12f7
SHA512

5971476bc95241d03fe173a9f253eacc1c9efc8af065b71e32b31d221efe82f892c372fa8851dd61b86593bc776255ef9c664a15cf4549f9048eee69a3cc4873
SSDEEP

192:h9ohUmsP4t/HFLFm1Fc32LyrBfs+in3RDfFkqQfnB/DoAn4JKv1eg3:gFsgtvFEiG+lfs+U3RDfFkqYhDoAn4J6

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 1 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0f6fb7fa7c1cfcdbbfc67d307c74083.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\JJM3W6LMN3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\a0f6fb7fa7c1cfcdbbfc67d307c74083.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2956 schtasks.exe

pid	process
2956	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1892 wrote to memory of 2956	1892	wscript.exe	schtasks.exe
PID 1892 wrote to memory of 2956	1892	wscript.exe	schtasks.exe
PID 1892 wrote to memory of 2956	1892	wscript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a0f6fb7fa7c1cfcdbbfc67d307c74083.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\a0f6fb7fa7c1cfcdbbfc67d307c74083.js
  2⤵
  - Creates scheduled task(s)
  PID:2956