vjw0rm | 5b390b74f05f0682957fcd9523f061ff8f3f8cdcd90ad2700a616bbfcfff7abe

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 05:35

Target

Documento-alteraao-11.03.2020.pdf.js
Size

11KB
MD5

7f7cce8ee185cce9e86e84a6d0885b57
SHA1

93337be9638d0edf6798ae01b13b5482d6b26da3
SHA256

95620589e26199d5b927ebeeb777042b9efbd2311aaea1c369bdf78a39a89943
SHA512

fa873eb30474d4fc9ebe1ef209c8f5bfed9b91712102806e4d6608f1706815dcf293780d4e09e1e1800a6d5f2de61034d7406bcfc5eeef545daa1010e6d9e9e2
SSDEEP

192:zeWaZT3p/+yzT++dMpZ7Wp66zRtuXg25EGV3ehAlL+vrBOYf+wF:6ZTZ/+yzTndMpkg6zR0QCeKUvrlvF

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

Processes:

wscript.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-alteraao-11.03.2020.pdf.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\K5DTIQVEYT = "\"C:\\Users\\Admin\\Documento-altera?ao-11.03.2020.pdf.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

928 schtasks.exe

pid	process
928	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1608 wrote to memory of 928	1608	wscript.exe	schtasks.exe
PID 1608 wrote to memory of 928	1608	wscript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Documento-alteraao-11.03.2020.pdf.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\Documento-alteraao-11.03.2020.pdf.js
  2⤵
  - Creates scheduled task(s)
  PID:928