vjw0rm | e270482c1dfaf5a5080792e81e63724ece6f1bb1798c6a094b0f682b11c5edfd

Analysis

max time kernel
110s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-04-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2e7fb86a5c136f7fcf790f8ef616a9_JaffaCakes118.js
Size

38KB
MD5

ee2e7fb86a5c136f7fcf790f8ef616a9
SHA1

3bc8c40d14944f3a353b3b0f200a46b40e8edb61
SHA256

e270482c1dfaf5a5080792e81e63724ece6f1bb1798c6a094b0f682b11c5edfd
SHA512

15ac382f903665d210ff29df222551f5e9af95a792a483d41e06a4668763299805279e896a434571001b4c2e8d71c4e8a30e89e01e77d4812a5231ce0305d6f0
SSDEEP

96:Xngc4sFAHAk3tcROHcRb+UfL7MHU+d3e74XkDdqs00AKp07llhIx07l49Unf66NH:XgR8AHAI0FFxK9kgT95

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	1312	wscript.exe
6	1312	wscript.exe
7	1312	wscript.exe
9	1312	wscript.exe
10	1312	wscript.exe
11	1312	wscript.exe
13	1312	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee2e7fb86a5c136f7fcf790f8ef616a9_JaffaCakes118.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2660	1312	wscript.exe	29
PID 1312 wrote to memory of 2660	1312	wscript.exe	29
PID 1312 wrote to memory of 2660	1312	wscript.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ee2e7fb86a5c136f7fcf790f8ef616a9_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\ee2e7fb86a5c136f7fcf790f8ef616a9_JaffaCakes118.js
  2⤵
  - Creates scheduled task(s)
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads