vjw0rm | 8389c925d2d78ab7caf0b4747b8301cf98a8f762eff59597f28b8fb6204fc08e

Analysis

max time kernel
136s
max time network
140s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 09:35

Target

16052024_0935_Reçu de paiement.js
Size

25KB
MD5

d09f2b4326fe1178893ca158e686991a
SHA1

b6e0016a63d51063ecbc40b31a16abb4d8ec3949
SHA256

8389c925d2d78ab7caf0b4747b8301cf98a8f762eff59597f28b8fb6204fc08e
SHA512

c0e0db2c0ed8785114341e9019ef7ae0862ac4fec469a02db951c362ba5186b7f080f98c246d0170578cacdcfb119ae6cd508f996bfd6051bf42179a11528ffa
SSDEEP

384:89/sfhWmJ4QC+/6Kd2Oo9z3+ttBbxjSqnBhtf+MWjfLRrv3bbOdik3Olj85Rknb/:KsfhhJHj66SKPKqnvN+1f1v3XOxJR+MY

Score

10^/10

Family

vjw0rm

http://severdops.ddns.net:5050

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

4 1772 wscript.exe

flow	pid	process
4	1772	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16052024_0935_Reçu de paiement.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16052024_0935_Reçu de paiement.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\5TJJF2Z3XN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\16052024_0935_Reçu de paiement.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2140 schtasks.exe

pid	process
2140	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1772 wrote to memory of 2140	1772	wscript.exe	schtasks.exe
PID 1772 wrote to memory of 2140	1772	wscript.exe	schtasks.exe
PID 1772 wrote to memory of 2140	1772	wscript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\16052024_0935_Reçu de paiement.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\16052024_0935_Reçu de paiement.js
  2⤵
  - Creates scheduled task(s)
  PID:2140