vjw0rm | 95325bfd74d2ff4d9509357f4b0fd92cb6b28a1a985ec29601eca92a6f550c1e

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js
Size

25KB
MD5

0cecca47acad7973fc6f9f57dde5cc4b
SHA1

4e1f3e273159b4d5915d2418820d5dca805294db
SHA256

95325bfd74d2ff4d9509357f4b0fd92cb6b28a1a985ec29601eca92a6f550c1e
SHA512

ff763c4d2a8c7b95a3497c5cde6bb6c447f3a0b85adc0ab05355ec5e9a63f4d33b113515ffb7c84f20cdcdf46a79f1b235d490b0e4616bf952f863a0d570935b
SSDEEP

768:aq+cB487yZLW/PF+3wh9QmFgilK9UUsImZOOYz:1+cB487y2l9Uig9UUsLZOJ

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

3 4648 wscript.exe
35 4648 wscript.exe
53 4648 wscript.exe
69 4648 wscript.exe
90 4648 wscript.exe
95 4648 wscript.exe

flow	pid	process
3	4648	wscript.exe
35	4648	wscript.exe
53	4648	wscript.exe
69	4648	wscript.exe
90	4648	wscript.exe
95	4648	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XvJkBxcskq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XvJkBxcskq.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0IDR124VF6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\XvJkBxcskq.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4648 wrote to memory of 1616	4648	wscript.exe	wscript.exe
PID 4648 wrote to memory of 1616	4648	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0cecca47acad7973fc6f9f57dde5cc4b_JaffaCakes118.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XvJkBxcskq.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XvJkBxcskq.js

Filesize
8KB

MD5
adc0c21d3a0ac412f26615c8c164dbd1

SHA1
5fe5d7659a8582762c1c836e12e515e9b587af71

SHA256
919988f6a50c88d4c8be4532c17ac46513b4e004d2db9865895a2aad9f4cf31f

SHA512
3f83564a68c60e25b9714caf31dba7e4bfb7d875c17ab2a6dd073d90fa339ee82e72a4430557ff8ba8e7043b0a7680ecae3bb7b4f3c94e0ab74dc9d3e252107b

Download Submit