vjw0rm | 3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c35fbb0a2f810800e6619448f0fec6.js
Size

313KB
MD5

e1c35fbb0a2f810800e6619448f0fec6
SHA1

8a84a677134b31b93434e8aedc9cea27e91f6058
SHA256

3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06
SHA512

1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27
SSDEEP

6144:tREDKt1MlepfYOzkRElvXPgBLUWA2aY1yWjmWDinsxu9c34B:tRKTqzARElPPgBL3AuyWjzK9cIB

Score

10^/10

vjw0rm xloader o7ht loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o7ht

Decoy

crs-onlineshop.com

desertrosecamping.com

frequencyclips.com

andrewhair.com

leuswim.com

revenuecat.net

payplticket593178197.info

replacementrs.com

flnativemilkmilkweed.com

rintashop.com

shonan5656.com

lexingtonclarke.com

alfapvp2020.xyz

buywetsuitsonline.com

gomihuomh.com

rabo-betaling.xyz

thyhotyoga.com

careplayground.com

bitlineage.com

5923699.com

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023217-6.dat	xloader
behavioral2/memory/3000-12-0x0000000000C60000-0x0000000000C88000-memory.dmp	xloader
behavioral2/memory/4304-18-0x0000000000940000-0x0000000000968000-memory.dmp	xloader
behavioral2/memory/4304-20-0x0000000000940000-0x0000000000968000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3000	bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\bzTHMuWnfp.js\""	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 3296	3000	bin.exe	57
PID 4304 set thread context of 3296	4304	cmd.exe	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3000	bin.exe
3000	bin.exe
3000	bin.exe
3000	bin.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe
4304	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3000	bin.exe
3000	bin.exe
3000	bin.exe
4304	cmd.exe
4304	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	bin.exe
Token: SeDebugPrivilege	4304	cmd.exe
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3296	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2328	2972	wscript.exe	88
PID 2972 wrote to memory of 2328	2972	wscript.exe	88
PID 2972 wrote to memory of 3000	2972	wscript.exe	89
PID 2972 wrote to memory of 3000	2972	wscript.exe	89
PID 2972 wrote to memory of 3000	2972	wscript.exe	89
PID 3296 wrote to memory of 4304	3296	Explorer.EXE	93
PID 3296 wrote to memory of 4304	3296	Explorer.EXE	93
PID 3296 wrote to memory of 4304	3296	Explorer.EXE	93
PID 4304 wrote to memory of 4012	4304	cmd.exe	94
PID 4304 wrote to memory of 4012	4304	cmd.exe	94
PID 4304 wrote to memory of 4012	4304	cmd.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\e1c35fbb0a2f810800e6619448f0fec6.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2328
- - C:\Users\Admin\AppData\Roaming\bin.exe
    "C:\Users\Admin\AppData\Roaming\bin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\bin.exe"
    3⤵
    PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bin.exe

Filesize
160KB

MD5
387be3e3c86fc9d6a2c1923863f39a7d

SHA1
a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2

SHA256
1e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6

SHA512
7333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d

Download Submit
C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js

Filesize
10KB

MD5
e2e1a525cffad9ed1e32f5c5c2f182aa

SHA1
4009388a60a33416e81f6b6ebe4ee752f2eedeb8

SHA256
41609d1f9bbf9fbefba7505632a5de15e8379fa0d468482665ea050e73927030

SHA512
609f4d04f638766034b5cdf3d15df25b96652e737ff0afbb655609e51c55accfe410dc9722d8191c615d93f59b6c60820393f8e44b362896499e10d7c7aac792

Download Submit
memory/3000-11-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/3000-12-0x0000000000C60000-0x0000000000C88000-memory.dmp

Filesize
160KB

Download
memory/3000-13-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/3296-23-0x0000000008C80000-0x0000000008D5F000-memory.dmp

Filesize
892KB

Download
memory/3296-14-0x0000000008FC0000-0x0000000009149000-memory.dmp

Filesize
1.5MB

Download
memory/3296-24-0x0000000008FC0000-0x0000000009149000-memory.dmp

Filesize
1.5MB

Download
memory/3296-25-0x0000000008C80000-0x0000000008D5F000-memory.dmp

Filesize
892KB

Download
memory/3296-28-0x0000000008C80000-0x0000000008D5F000-memory.dmp

Filesize
892KB

Download
memory/4304-15-0x0000000000280000-0x00000000002DA000-memory.dmp

Filesize
360KB

Download
memory/4304-17-0x0000000000280000-0x00000000002DA000-memory.dmp

Filesize
360KB

Download
memory/4304-18-0x0000000000940000-0x0000000000968000-memory.dmp

Filesize
160KB

Download
memory/4304-19-0x00000000015D0000-0x000000000191A000-memory.dmp

Filesize
3.3MB

Download
memory/4304-20-0x0000000000940000-0x0000000000968000-memory.dmp

Filesize
160KB

Download
memory/4304-22-0x0000000001330000-0x00000000013BF000-memory.dmp

Filesize
572KB

Download