vjw0rm | a1dec2c5f22022b4978a4a77dff567d90f34ad47d9ebddb93ed67a833cdceb72

General

Target

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
Size

3.5MB
MD5

5293caf8da5a2ec1c309b2350b8c3dd9
SHA1

29468c93893106897c24bd141eb6ab418114c3b9
SHA256

a1dec2c5f22022b4978a4a77dff567d90f34ad47d9ebddb93ed67a833cdceb72
SHA512

d25412c34d6f47b6bdafe31dcc8cac6f2822a122098010e34e05757cab39c7bc33665f4f87d0254e85acaea7af82eda8731308c5c270e35072a20ba2e0e32e8b
SSDEEP

49152:iootQwPR5/uU6SkrjFdr9cLS3nMI/05zOKE1antX00I2qTtMi5PKJxxpfKuNsIu7:PkQS2U6zjTxP/05zvntX0L9Oau3b2EM

Score

10^/10

vjw0rm execution persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\menu.js WScript.exe
Executes dropped EXE 3 IoCs

Processes:

Setup-0.exeSetup-0.tmpstart.exe

pid process

2620 Setup-0.exe
2200 Setup-0.tmp
384 start.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\menu.js	WScript.exe

pid	process
2620	Setup-0.exe
2200	Setup-0.tmp
384	start.exe

Loads dropped DLL 9 IoCs

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exeSetup-0.exe

pid	process
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2620	Setup-0.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\JEMCRJP65Q = "\"C:\\Users\\Admin\\AppData\\Roaming\\menu.js\""	WScript.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2492-4-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-9-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-8-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-10-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-3-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-32-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-42-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-46-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-43-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-47-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-50-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-53-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-56-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-81-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-85-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-88-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-91-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral1/memory/2492-105-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\start.exe	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\menu.js	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\menu.js	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\start.exe	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

pid process

2492 5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1684 schtasks.exe

pid	process
1684	schtasks.exe

NTFS ADS 2 IoCs

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\CIMV2	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

pid	process
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup-0.tmp

pid process

2200 Setup-0.tmp

pid	process
2200	Setup-0.tmp

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exeSetup-0.exeWScript.exe

description	pid	process	target process
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2492 wrote to memory of 2620	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	Setup-0.exe
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2620 wrote to memory of 2200	2620	Setup-0.exe	Setup-0.tmp
PID 2492 wrote to memory of 384	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	start.exe
PID 2492 wrote to memory of 384	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	start.exe
PID 2492 wrote to memory of 384	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	start.exe
PID 2492 wrote to memory of 384	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	start.exe
PID 2492 wrote to memory of 1740	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	WScript.exe
PID 2492 wrote to memory of 1740	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	WScript.exe
PID 2492 wrote to memory of 1740	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	WScript.exe
PID 2492 wrote to memory of 1740	2492	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	WScript.exe
PID 1740 wrote to memory of 1684	1740	WScript.exe	schtasks.exe
PID 1740 wrote to memory of 1684	1740	WScript.exe	schtasks.exe
PID 1740 wrote to memory of 1684	1740	WScript.exe	schtasks.exe
PID 1740 wrote to memory of 1684	1740	WScript.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\Setup-0.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup-0.exe" .\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\is-HCELC.tmp\Setup-0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HCELC.tmp\Setup-0.tmp" /SL5="$40166,187392,0,C:\Users\Admin\AppData\Local\Temp\Setup-0.exe" .\
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2200
- C:\Windows\SysWOW64\start.exe
  "C:\Windows\SysWOW64\start.exe"
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\menu.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\menu.js
    3⤵
    - Creates scheduled task(s)
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\menu.js

Filesize
73KB

MD5
8dcb2a57f2caccd5170326490a0cd5f3

SHA1
339259dcd6fc59d9579273eebacf8e6649a03f9b

SHA256
26e1dc3e04297fccd019f19bc91398880deb7165b1a9404ffc1f8e002339fa39

SHA512
00f7cc33ef1e7f09b0738f07921acd8386200a1e380f9e7b8148425d99d6bd604a7627d51c062f4223683bcacaf1f4fd59f167155ceef0224c035a35f91ba422

Download Submit
\Users\Admin\AppData\Local\Temp\Setup-0.exe

Filesize
1.0MB

MD5
84d652fea8b29901dc04cd0440f17366

SHA1
67e8d6159f4d2b2988af66bc8db1947b0bc35588

SHA256
33b2e61be2889bad80ee3b738b310e5fa852d13007f38f37188dcb04f909d622

SHA512
97daf37b95013689c870c43e29029368014b0435ae943d32ec5fd60fe9d7c64d56d4d18282c22c386b2af332b343d058aed2a981bd3f1ae7c29cd78f5a18c53b

Download Submit
\Users\Admin\AppData\Local\Temp\is-HCELC.tmp\Setup-0.tmp

Filesize
828KB

MD5
38086e2f242e5f3b1c10d72563992adf

SHA1
6b54c1b373d570a892c5c2f7b1941bb400509693

SHA256
a4413233b759e7c2cc14ae813df6488714ffe17d7f34c06f3b6c15a663fd3c90

SHA512
90dd32667bfd681d282feb1cf2759d0e94dc8e5adaae2ed1dd9aa45712eb8a7869060ab7aa8f2d4ef83768dc0ca0f868b645437cf338e671ff749dccd8855b9d

Download Submit
\Windows\SysWOW64\start.exe

Filesize
4.5MB

MD5
c1e14d3322135441ad36da8bcd8d41f4

SHA1
c13f59b81bc43444fe4d7717e4005051ea18aa63

SHA256
9d39c2a5553e31b432257267b932a9a5fb1f2733799e98e164f4756cdde7552c

SHA512
8570997e160d2dc1f6b07b7a447350487e35b3b0681107123e195511b7c080abe49398e630ab976600c96b5378e220fe46ed404914681b1ce297cebddfce05c7

Download Submit
memory/384-84-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/384-80-0x0000000007200000-0x00000000075AE000-memory.dmp

Filesize
3.7MB

Download
memory/384-79-0x00000000002D0000-0x000000000074E000-memory.dmp

Filesize
4.5MB

Download
memory/2200-45-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2492-10-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-47-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-3-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-5-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2492-105-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-102-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2492-32-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-6-0x0000000000401000-0x000000000048F000-memory.dmp

Filesize
568KB

Download
memory/2492-40-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2492-41-0x0000000000401000-0x000000000048F000-memory.dmp

Filesize
568KB

Download
memory/2492-42-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-1-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2492-46-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-7-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2492-43-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-0-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-50-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-53-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-56-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-8-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-9-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-4-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-81-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-2-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-85-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-88-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2492-91-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/2620-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads