vjw0rm | 9c048a52d161626ba45d49ba1a412b4cd1fc05520d4193a57d5b2edf7bbb885e

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 00:17

Target

eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js
Size

12KB
MD5

eeb0261c57ae2557a73b0a66f862e982
SHA1

aca3295dea76d1d31730bff6f30d3ed453eaca0c
SHA256

9c048a52d161626ba45d49ba1a412b4cd1fc05520d4193a57d5b2edf7bbb885e
SHA512

fe6c2bf415b37c5341294dd5b0bfaefffd73dcb92dda241f82341687456ca2b17d3ab07551a7d277b2fb04b31793b77599e6d5f1a68488f379cb4466b5441588
SSDEEP

384:e2e2itotH0lahotIvlLa0w3B280D15bXiRXJzTlNt0Th5P:e2atotUMotIba2Nx5bXqJzzt8H

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 24 IoCs

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\O3FNWNFPWY = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2056	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2056	2236	wscript.exe	29
PID 2236 wrote to memory of 2056	2236	wscript.exe	29
PID 2236 wrote to memory of 2056	2236	wscript.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js
  2⤵
  - Creates scheduled task(s)
  PID:2056