vjw0rm | e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a

General

Target

8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js
Size

45KB
MD5

8547af690a9b533d6acd08360f5b18d5
SHA1

fe393629e5df70bcfef741a70432af6c6a528b27
SHA256

e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a
SHA512

7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d
SSDEEP

768:klrw9II2LrCko3oHRirCWiUG+Odm4aS/pLF8NQEJUP:klK1MrCP3oHRirWUG+OdOqv8NQEJS

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

9 2060 wscript.exe
20 2060 wscript.exe
31 2060 wscript.exe
45 2060 wscript.exe
54 2060 wscript.exe
65 2060 wscript.exe

flow	pid	process
9	2060	wscript.exe
20	2060	wscript.exe
31	2060	wscript.exe
45	2060	wscript.exe
54	2060	wscript.exe
65	2060	wscript.exe

Drops startup file 5 IoCs

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exewscript.exe

description	pid	process	target process
PID 1192 wrote to memory of 2200	1192	wscript.exe	wscript.exe
PID 1192 wrote to memory of 2200	1192	wscript.exe	wscript.exe
PID 1192 wrote to memory of 2200	1192	wscript.exe	wscript.exe
PID 1192 wrote to memory of 2060	1192	wscript.exe	wscript.exe
PID 1192 wrote to memory of 2060	1192	wscript.exe	wscript.exe
PID 1192 wrote to memory of 2060	1192	wscript.exe	wscript.exe
PID 2060 wrote to memory of 2544	2060	wscript.exe	wscript.exe
PID 2060 wrote to memory of 2544	2060	wscript.exe	wscript.exe
PID 2060 wrote to memory of 2544	2060	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2200
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8547af690a9b533d6acd08360f5b18d5_JaffaCakes118.js

Filesize
45KB

MD5
8547af690a9b533d6acd08360f5b18d5

SHA1
fe393629e5df70bcfef741a70432af6c6a528b27

SHA256
e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a

SHA512
7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d

Download Submit
C:\Users\Admin\AppData\Roaming\sURhETJCuW.js

Filesize
8KB

MD5
1b42aad624e2912847110be197ac4d15

SHA1
d334bd3287bb2068345fd4f436cee2c0fabc687a

SHA256
3aae275c07d7764537c56383c404414ad94689c16dfdbf02c7315f1cc3cd870e

SHA512
57dbfdaf42cb38e993bb4ab03d2e74919d1d396b9225d99eac3ef39c76fac2d999a7cd2265dc65bf6693ff65863d98b00de7265d54b670b1a680cfcbf9062a8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads