vjw0rm | 95325bfd74d2ff4d9509357f4b0fd92cb6b28a1a985ec29601eca92a6f550c1e

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js
Size

25KB
MD5

0cecca47acad7973fc6f9f57dde5cc4b
SHA1

4e1f3e273159b4d5915d2418820d5dca805294db
SHA256

95325bfd74d2ff4d9509357f4b0fd92cb6b28a1a985ec29601eca92a6f550c1e
SHA512

ff763c4d2a8c7b95a3497c5cde6bb6c447f3a0b85adc0ab05355ec5e9a63f4d33b113515ffb7c84f20cdcdf46a79f1b235d490b0e4616bf952f863a0d570935b
SSDEEP

768:aq+cB487yZLW/PF+3wh9QmFgilK9UUsImZOOYz:1+cB487y2l9Uig9UUsLZOJ

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exe

flow pid process

4 1764 wscript.exe
14 1764 wscript.exe
29 1764 wscript.exe
39 1764 wscript.exe
52 1764 wscript.exe
62 1764 wscript.exe
76 1764 wscript.exe

flow	pid	process
4	1764	wscript.exe
14	1764	wscript.exe
29	1764	wscript.exe
39	1764	wscript.exe
52	1764	wscript.exe
62	1764	wscript.exe
76	1764	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XvJkBxcskq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XvJkBxcskq.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\0IDR124VF6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\XvJkBxcskq.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1764 wrote to memory of 1988	1764	wscript.exe	wscript.exe
PID 1764 wrote to memory of 1988	1764	wscript.exe	wscript.exe
PID 1764 wrote to memory of 1988	1764	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XvJkBxcskq.js"
2⤵
- Drops startup file
- Adds Run key to start application
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XvJkBxcskq.js
Filesize
8KB

MD5
adc0c21d3a0ac412f26615c8c164dbd1

SHA1
5fe5d7659a8582762c1c836e12e515e9b587af71

SHA256
919988f6a50c88d4c8be4532c17ac46513b4e004d2db9865895a2aad9f4cf31f

SHA512
3f83564a68c60e25b9714caf31dba7e4bfb7d875c17ab2a6dd073d90fa339ee82e72a4430557ff8ba8e7043b0a7680ecae3bb7b4f3c94e0ab74dc9d3e252107b

Download Submit