vjw0rm | 5518f5e20b27a4b10ebc7abce37c733ab532354b5db6aed7edf19c25caba2ff3 | Triage

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2024, 15:20 UTC

Sharing

Report Analysis Logs

General

Target

3e7dd715a15046585cb8034a1fa847b3_JaffaCakes118.js
Size

12KB
MD5

3e7dd715a15046585cb8034a1fa847b3
SHA1

4cbe1b633a7859821c0b7082385407cb140a0ba5
SHA256

5518f5e20b27a4b10ebc7abce37c733ab532354b5db6aed7edf19c25caba2ff3
SHA512

42777bf0328fe9844aa93e8394f11aba8d02d6bbc77980da2c22bb5b9f9a646763ed4506976dfbf3d2476ca63fbc0845bb5be64c3a6c745daffdd7f7d85f960a
SSDEEP

384:Y7z4C7+owFhl3rwUY5mn33QPHOS2A9P2N:Y7zV+ow5qk3AOSx9q

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
11	60	wscript.exe
21	60	wscript.exe
35	60	wscript.exe
38	60	wscript.exe
45	60	wscript.exe
46	60	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e7dd715a15046585cb8034a1fa847b3_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e7dd715a15046585cb8034a1fa847b3_JaffaCakes118.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6ID7YY2BDP = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3e7dd715a15046585cb8034a1fa847b3_JaffaCakes118.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
212	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 212	60	wscript.exe	88
PID 60 wrote to memory of 212	60	wscript.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3e7dd715a15046585cb8034a1fa847b3_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\3e7dd715a15046585cb8034a1fa847b3_JaffaCakes118.js
  2⤵
  - Creates scheduled task(s)
  PID:212

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

btime1624.duckdns.org

wscript.exe

Remote address:

8.8.8.8:53

Request

btime1624.duckdns.org

IN A

Response

btime1624.duckdns.org

IN A

13.78.209.105
DNS

41.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.134.221.88.in-addr.arpa

IN PTR

Response

41.134.221.88.in-addr.arpa

IN PTR

a88-221-134-41deploystaticakamaitechnologiescom
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

66.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

66.134.221.88.in-addr.arpa

IN PTR

Response

66.134.221.88.in-addr.arpa

IN PTR

a88-221-134-66deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

107.116.69.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.116.69.13.in-addr.arpa

IN PTR

Response

13.78.209.105:7923

btime1624.duckdns.org

wscript.exe

260 B
5
13.78.209.105:7923

btime1624.duckdns.org

wscript.exe

260 B
5
13.78.209.105:7923

btime1624.duckdns.org

wscript.exe

260 B
5
13.78.209.105:7923

btime1624.duckdns.org

wscript.exe

260 B
5
13.78.209.105:7923

btime1624.duckdns.org

wscript.exe

260 B
5
13.78.209.105:7923

btime1624.duckdns.org

wscript.exe

208 B
4

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

btime1624.duckdns.org

dns

wscript.exe

67 B
83 B
1
1

DNS Request

btime1624.duckdns.org

DNS Response

13.78.209.105
8.8.8.8:53

41.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

41.134.221.88.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

66.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

66.134.221.88.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

107.116.69.13.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

107.116.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads