vjw0rm | 9c048a52d161626ba45d49ba1a412b4cd1fc05520d4193a57d5b2edf7bbb885e

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 00:17

Target

eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js
Size

12KB
MD5

eeb0261c57ae2557a73b0a66f862e982
SHA1

aca3295dea76d1d31730bff6f30d3ed453eaca0c
SHA256

9c048a52d161626ba45d49ba1a412b4cd1fc05520d4193a57d5b2edf7bbb885e
SHA512

fe6c2bf415b37c5341294dd5b0bfaefffd73dcb92dda241f82341687456ca2b17d3ab07551a7d277b2fb04b31793b77599e6d5f1a68488f379cb4466b5441588
SSDEEP

384:e2e2itotH0lahotIvlLa0w3B280D15bXiRXJzTlNt0Th5P:e2atotUMotIba2Nx5bXqJzzt8H

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 14 IoCs

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\O3FNWNFPWY = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
4280	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4280	2620	wscript.exe	92
PID 2620 wrote to memory of 4280	2620	wscript.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\eeb0261c57ae2557a73b0a66f862e982_JaffaCakes118.js
  2⤵
  - Creates scheduled task(s)
  PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1408