vjw0rm | a1dec2c5f22022b4978a4a77dff567d90f34ad47d9ebddb93ed67a833cdceb72

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
Size

3.5MB
MD5

5293caf8da5a2ec1c309b2350b8c3dd9
SHA1

29468c93893106897c24bd141eb6ab418114c3b9
SHA256

a1dec2c5f22022b4978a4a77dff567d90f34ad47d9ebddb93ed67a833cdceb72
SHA512

d25412c34d6f47b6bdafe31dcc8cac6f2822a122098010e34e05757cab39c7bc33665f4f87d0254e85acaea7af82eda8731308c5c270e35072a20ba2e0e32e8b
SSDEEP

49152:iootQwPR5/uU6SkrjFdr9cLS3nMI/05zOKE1antX00I2qTtMi5PKJxxpfKuNsIu7:PkQS2U6zjTxP/05zvntX0L9Oau3b2EM

Score

10^/10

vjw0rm execution persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\menu.js	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1368	Setup-0.exe
2736	Setup-0.tmp
3272	start.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JEMCRJP65Q = "\"C:\\Users\\Admin\\AppData\\Roaming\\menu.js\""	WScript.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5112-2-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-1-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-7-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-8-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-24-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-33-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-37-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-34-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-39-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-42-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-45-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-48-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-51-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-79-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-82-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-85-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-88-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe
behavioral2/memory/5112-99-0x0000000000400000-0x0000000000A97000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\start.exe	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\menu.js	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\menu.js	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\start.exe	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3872	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\CIMV2	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1368	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	94
PID 5112 wrote to memory of 1368	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	94
PID 5112 wrote to memory of 1368	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	94
PID 1368 wrote to memory of 2736	1368	Setup-0.exe	96
PID 1368 wrote to memory of 2736	1368	Setup-0.exe	96
PID 1368 wrote to memory of 2736	1368	Setup-0.exe	96
PID 5112 wrote to memory of 3272	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	101
PID 5112 wrote to memory of 3272	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	101
PID 5112 wrote to memory of 3272	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	101
PID 5112 wrote to memory of 4188	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	109
PID 5112 wrote to memory of 4188	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	109
PID 5112 wrote to memory of 4188	5112	5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe	109
PID 4188 wrote to memory of 3872	4188	WScript.exe	111
PID 4188 wrote to memory of 3872	4188	WScript.exe	111
PID 4188 wrote to memory of 3872	4188	WScript.exe	111

C:\Users\Admin\AppData\Local\Temp\5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5293caf8da5a2ec1c309b2350b8c3dd9_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\Setup-0.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup-0.exe" .\
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\is-O9GV0.tmp\Setup-0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-O9GV0.tmp\Setup-0.tmp" /SL5="$B01CE,187392,0,C:\Users\Admin\AppData\Local\Temp\Setup-0.exe" .\
    3⤵
    - Executes dropped EXE
    PID:2736
- C:\Windows\SysWOW64\start.exe
  "C:\Windows\SysWOW64\start.exe"
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\menu.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\menu.js
    3⤵
    - Creates scheduled task(s)
    PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup-0.exe

Filesize
1.0MB

MD5
84d652fea8b29901dc04cd0440f17366

SHA1
67e8d6159f4d2b2988af66bc8db1947b0bc35588

SHA256
33b2e61be2889bad80ee3b738b310e5fa852d13007f38f37188dcb04f909d622

SHA512
97daf37b95013689c870c43e29029368014b0435ae943d32ec5fd60fe9d7c64d56d4d18282c22c386b2af332b343d058aed2a981bd3f1ae7c29cd78f5a18c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O9GV0.tmp\Setup-0.tmp

Filesize
828KB

MD5
38086e2f242e5f3b1c10d72563992adf

SHA1
6b54c1b373d570a892c5c2f7b1941bb400509693

SHA256
a4413233b759e7c2cc14ae813df6488714ffe17d7f34c06f3b6c15a663fd3c90

SHA512
90dd32667bfd681d282feb1cf2759d0e94dc8e5adaae2ed1dd9aa45712eb8a7869060ab7aa8f2d4ef83768dc0ca0f868b645437cf338e671ff749dccd8855b9d

Download Submit
C:\Windows\SysWOW64\menu.js

Filesize
73KB

MD5
8dcb2a57f2caccd5170326490a0cd5f3

SHA1
339259dcd6fc59d9579273eebacf8e6649a03f9b

SHA256
26e1dc3e04297fccd019f19bc91398880deb7165b1a9404ffc1f8e002339fa39

SHA512
00f7cc33ef1e7f09b0738f07921acd8386200a1e380f9e7b8148425d99d6bd604a7627d51c062f4223683bcacaf1f4fd59f167155ceef0224c035a35f91ba422

Download Submit
C:\Windows\SysWOW64\start.exe

Filesize
4.5MB

MD5
c1e14d3322135441ad36da8bcd8d41f4

SHA1
c13f59b81bc43444fe4d7717e4005051ea18aa63

SHA256
9d39c2a5553e31b432257267b932a9a5fb1f2733799e98e164f4756cdde7552c

SHA512
8570997e160d2dc1f6b07b7a447350487e35b3b0681107123e195511b7c080abe49398e630ab976600c96b5378e220fe46ed404914681b1ce297cebddfce05c7

Download Submit
memory/1368-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-38-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2736-32-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3272-69-0x00000000001B0000-0x000000000062E000-memory.dmp

Filesize
4.5MB

Download
memory/3272-77-0x0000000005560000-0x0000000005706000-memory.dmp

Filesize
1.6MB

Download
memory/3272-76-0x0000000005310000-0x0000000005366000-memory.dmp

Filesize
344KB

Download
memory/3272-75-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/3272-74-0x00000000050E0000-0x00000000050E6000-memory.dmp

Filesize
24KB

Download
memory/3272-73-0x00000000079C0000-0x0000000007A52000-memory.dmp

Filesize
584KB

Download
memory/3272-72-0x0000000007ED0000-0x0000000008474000-memory.dmp

Filesize
5.6MB

Download
memory/3272-71-0x0000000007880000-0x000000000791C000-memory.dmp

Filesize
624KB

Download
memory/3272-70-0x00000000074D0000-0x000000000787E000-memory.dmp

Filesize
3.7MB

Download
memory/5112-3-0x0000000000F80000-0x0000000000F84000-memory.dmp

Filesize
16KB

Download
memory/5112-2-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-0-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-39-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-42-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-45-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-48-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-51-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-4-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-37-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-36-0x0000000000401000-0x000000000048F000-memory.dmp

Filesize
568KB

Download
memory/5112-8-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-33-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-34-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-1-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-24-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-5-0x0000000000FB0000-0x0000000000FF9000-memory.dmp

Filesize
292KB

Download
memory/5112-7-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-79-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-82-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-85-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-88-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/5112-6-0x0000000000401000-0x000000000048F000-memory.dmp

Filesize
568KB

Download
memory/5112-98-0x0000000000FB0000-0x0000000000FF9000-memory.dmp

Filesize
292KB

Download
memory/5112-99-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download