vjw0rm | 3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06

General

Target

e1c35fbb0a2f810800e6619448f0fec6.js
Size

313KB
MD5

e1c35fbb0a2f810800e6619448f0fec6
SHA1

8a84a677134b31b93434e8aedc9cea27e91f6058
SHA256

3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06
SHA512

1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27
SSDEEP

6144:tREDKt1MlepfYOzkRElvXPgBLUWA2aY1yWjmWDinsxu9c34B:tRKTqzARElPPgBL3AuyWjzK9cIB

Score

10^/10

vjw0rm xloader o7ht loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o7ht

Decoy

crs-onlineshop.com

desertrosecamping.com

frequencyclips.com

andrewhair.com

leuswim.com

revenuecat.net

payplticket593178197.info

replacementrs.com

flnativemilkmilkweed.com

rintashop.com

shonan5656.com

lexingtonclarke.com

alfapvp2020.xyz

buywetsuitsonline.com

gomihuomh.com

rabo-betaling.xyz

thyhotyoga.com

careplayground.com

bitlineage.com

5923699.com

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bin.exe	xloader
behavioral1/memory/1072-12-0x0000000000910000-0x0000000000938000-memory.dmp	xloader
behavioral1/memory/2156-17-0x00000000000B0000-0x00000000000D8000-memory.dmp	xloader
behavioral1/memory/2156-20-0x00000000000B0000-0x00000000000D8000-memory.dmp	xloader

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

bin.exe

pid process

1072 bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\bzTHMuWnfp.js\""	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bin.execmstp.exe

description	pid	process	target process
PID 1072 set thread context of 1364	1072	bin.exe	Explorer.EXE
PID 2156 set thread context of 1364	2156	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

bin.execmstp.exe

pid	process
1072	bin.exe
1072	bin.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe
2156	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

bin.execmstp.exe

pid process

1072 bin.exe
1072 bin.exe
1072 bin.exe
2156 cmstp.exe
2156 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bin.execmstp.exe

description pid process

Token: SeDebugPrivilege 1072 bin.exe
Token: SeDebugPrivilege 2156 cmstp.exe

description	pid	process
Token: SeDebugPrivilege	1072	bin.exe
Token: SeDebugPrivilege	2156	cmstp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1720 wrote to memory of 2588	1720	wscript.exe	wscript.exe
PID 1720 wrote to memory of 2588	1720	wscript.exe	wscript.exe
PID 1720 wrote to memory of 2588	1720	wscript.exe	wscript.exe
PID 1720 wrote to memory of 1072	1720	wscript.exe	bin.exe
PID 1720 wrote to memory of 1072	1720	wscript.exe	bin.exe
PID 1720 wrote to memory of 1072	1720	wscript.exe	bin.exe
PID 1720 wrote to memory of 1072	1720	wscript.exe	bin.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 1364 wrote to memory of 2156	1364	Explorer.EXE	cmstp.exe
PID 2156 wrote to memory of 1712	2156	cmstp.exe	cmd.exe
PID 2156 wrote to memory of 1712	2156	cmstp.exe	cmd.exe
PID 2156 wrote to memory of 1712	2156	cmstp.exe	cmd.exe
PID 2156 wrote to memory of 1712	2156	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\e1c35fbb0a2f810800e6619448f0fec6.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2588
- - C:\Users\Admin\AppData\Roaming\bin.exe
    "C:\Users\Admin\AppData\Roaming\bin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\bin.exe"
    3⤵
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bin.exe

Filesize
160KB

MD5
387be3e3c86fc9d6a2c1923863f39a7d

SHA1
a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2

SHA256
1e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6

SHA512
7333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d

Download Submit
C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js

Filesize
10KB

MD5
e2e1a525cffad9ed1e32f5c5c2f182aa

SHA1
4009388a60a33416e81f6b6ebe4ee752f2eedeb8

SHA256
41609d1f9bbf9fbefba7505632a5de15e8379fa0d468482665ea050e73927030

SHA512
609f4d04f638766034b5cdf3d15df25b96652e737ff0afbb655609e51c55accfe410dc9722d8191c615d93f59b6c60820393f8e44b362896499e10d7c7aac792

Download Submit
memory/1072-10-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/1072-9-0x0000000000940000-0x0000000000C43000-memory.dmp

Filesize
3.0MB

Download
memory/1072-12-0x0000000000910000-0x0000000000938000-memory.dmp

Filesize
160KB

Download
memory/1364-11-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1364-13-0x0000000006FF0000-0x000000000716D000-memory.dmp

Filesize
1.5MB

Download
memory/1364-24-0x0000000006FF0000-0x000000000716D000-memory.dmp

Filesize
1.5MB

Download
memory/2156-15-0x0000000000060000-0x0000000000078000-memory.dmp

Filesize
96KB

Download
memory/2156-16-0x0000000000060000-0x0000000000078000-memory.dmp

Filesize
96KB

Download
memory/2156-17-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download
memory/2156-18-0x0000000001EA0000-0x00000000021A3000-memory.dmp

Filesize
3.0MB

Download
memory/2156-20-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download
memory/2156-21-0x0000000001CB0000-0x0000000001D3F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads