vjw0rm | 9af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-04-2024 23:50

Target

7db9fe7b332f94b2c50ce2761b40abfc_JaffaCakes118.js
Size

12KB
MD5

7db9fe7b332f94b2c50ce2761b40abfc
SHA1

277de0d07f6080d096fe3b2ece7c99ee3167f3ed
SHA256

9af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733
SHA512

b735fc8a216ba8833ebaa00d7f67969645f78a572d5c92052de36e5433d0842ed73e481aec3a58484d7a3ee36033fe83cfaa9565b70472b6b9247a4d7d640c1b
SSDEEP

192:wAvHERJyEyHc+IKX/uuw95RcHdgKMsDjr813OXoJ6GYfBsLP4N32QDvsUgcc:w84Jumh/R7R13OXoJUGsxwb

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

4 1248 wscript.exe
6 1248 wscript.exe
7 1248 wscript.exe
9 1248 wscript.exe
10 1248 wscript.exe
11 1248 wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7db9fe7b332f94b2c50ce2761b40abfc_JaffaCakes118.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7db9fe7b332f94b2c50ce2761b40abfc_JaffaCakes118.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\JX0T7EQ31M = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7db9fe7b332f94b2c50ce2761b40abfc_JaffaCakes118.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2300 schtasks.exe

pid	process
2300	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1248 wrote to memory of 2300	1248	wscript.exe	schtasks.exe
PID 1248 wrote to memory of 2300	1248	wscript.exe	schtasks.exe
PID 1248 wrote to memory of 2300	1248	wscript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\7db9fe7b332f94b2c50ce2761b40abfc_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\7db9fe7b332f94b2c50ce2761b40abfc_JaffaCakes118.js
  2⤵
  - Creates scheduled task(s)
  PID:2300