vjw0rm | e3f46470aa9ef52628f741e07db33a6af854693ae2a761d397bf87fbfbe687c9

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 03:18

Target

4bbeabc7d902f9f654cfe9c4f51d155d_JaffaCakes118.js
Size

11KB
MD5

4bbeabc7d902f9f654cfe9c4f51d155d
SHA1

04b90a68e3911bc4edcf355c1db4567ae173c601
SHA256

e3f46470aa9ef52628f741e07db33a6af854693ae2a761d397bf87fbfbe687c9
SHA512

ecebe6eeb0848600cc8d4ac6b612ad4f02e5bce7d3f35ed14936508aa987c449a8e8029752bfa0b46ed68661836b99692abedce4175d3a7085aa22e0cb9882e5
SSDEEP

192:GDiOn6F9bg4NuHmcVP0sntG4a3FRUciE8IswHT9xfD8+pLhZx53fAeT7yTK:GDii6FVg4NEnbt7a3F2/EzswH/JIeXyO

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

4 2000 wscript.exe
6 2000 wscript.exe
7 2000 wscript.exe
9 2000 wscript.exe
10 2000 wscript.exe
11 2000 wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bbeabc7d902f9f654cfe9c4f51d155d_JaffaCakes118.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bbeabc7d902f9f654cfe9c4f51d155d_JaffaCakes118.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\6ID7YY2BDP = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4bbeabc7d902f9f654cfe9c4f51d155d_JaffaCakes118.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2724 schtasks.exe

pid	process
2724	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2000 wrote to memory of 2724	2000	wscript.exe	schtasks.exe
PID 2000 wrote to memory of 2724	2000	wscript.exe	schtasks.exe
PID 2000 wrote to memory of 2724	2000	wscript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4bbeabc7d902f9f654cfe9c4f51d155d_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\4bbeabc7d902f9f654cfe9c4f51d155d_JaffaCakes118.js
  2⤵
  - Creates scheduled task(s)
  PID:2724