vjw0rm | 67cc5bf1069e52991c6e15ec0265b5432a5cb1a7bb525bc034f73090646a6d52

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 04:42

Target

Order_2944208.p.js
Size

25KB
MD5

8f0dc2fb0c0a66b14c00caba6d701cba
SHA1

6e1181dcad0d5fdb2397c728b9da259195949332
SHA256

a3c7ed48ab07e2a757b8fa6fe61a4f56cf18193cf651dcdbc85f4c710546c347
SHA512

0af9a3213360db5a33a6a5129e973edfd0af450609e67cfc6835f7f202c49baed2d8f3c1560a879760579aebc852f5ca0658095ba3f40254a82f868deb5dbed9
SSDEEP

768:UAP5fvT+ydvBoRjbSYcSqaqAg0ruV3i8Zg/SizIY6gFOKrywg1SYcSqUHipAMFng:U74zT

Score

10^/10

Family

vjw0rm

http://postventa-vodafone.duckdns.org:5000

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order_2944208.p.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order_2944208.p.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U7Z0QCNASN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order_2944208.p.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
3060	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3060	3368	wscript.exe	86
PID 3368 wrote to memory of 3060	3368	wscript.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Order_2944208.p.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Order_2944208.p.js
  2⤵
  - Creates scheduled task(s)
  PID:3060