vjw0rm | d16b502ff0b1413b19a22a39888f1f0ac6f42eede611b5c4b7d004802a814c9d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CC051000007401.vbs
Size

44KB
MD5

bfb1a7641288bf047bf8f8d403f3b138
SHA1

b5ddaa8db4a2d33bd5fa46f70ffe2893612652ee
SHA256

d16b502ff0b1413b19a22a39888f1f0ac6f42eede611b5c4b7d004802a814c9d
SHA512

ca92f671e3debfaaa64cb284821f0886b7faa7b6d0fced6476ab889d3a2373936bfefd0e5feef11ececd943eec5bb1c745a68ca61c1ef4480cc5c526a011a9f7
SSDEEP

768:myaI+a0DXtSbnbhbhscz0i/w+8MtXs/oo5ziD53Z40mb/DqfZW377PiMQ+XrUcsd:x/0DXtSbnbhbhsw0i/w+8M9s/oo5ziDT

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

http://hicham9risa.duckdns.org:4566

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 44 IoCs

flow	pid	Process
6	2768	wscript.exe
7	2756	WScript.exe
9	2756	WScript.exe
10	2756	WScript.exe
13	2756	WScript.exe
15	2768	wscript.exe
16	2756	WScript.exe
17	2756	WScript.exe
19	2756	WScript.exe
21	2756	WScript.exe
23	2768	wscript.exe
24	2756	WScript.exe
27	660	WScript.exe
28	2756	WScript.exe
29	660	WScript.exe
31	2756	WScript.exe
32	660	WScript.exe
36	2756	WScript.exe
39	660	WScript.exe
41	2768	wscript.exe
43	2756	WScript.exe
45	660	WScript.exe
46	2756	WScript.exe
48	660	WScript.exe
50	2756	WScript.exe
52	660	WScript.exe
55	2756	WScript.exe
56	660	WScript.exe
58	2768	wscript.exe
60	2756	WScript.exe
61	660	WScript.exe
64	2756	WScript.exe
66	660	WScript.exe
68	2756	WScript.exe
69	660	WScript.exe
72	2756	WScript.exe
73	660	WScript.exe
77	2768	wscript.exe
78	2756	WScript.exe
80	660	WScript.exe
82	2756	WScript.exe
84	660	WScript.exe
85	2756	WScript.exe
86	660	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CC051000007401.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HwuuOCwVXt.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HwuuOCwVXt.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CC051000007401.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ZC0UTZGTT = "\"C:\\Users\\Admin\\AppData\\Roaming\\CC051000007401.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HwuuOCwVXt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HwuuOCwVXt.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HwuuOCwVXt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HwuuOCwVXt.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ZC0UTZGTT = "\"C:\\Users\\Admin\\AppData\\Roaming\\CC051000007401.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2016	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2768	2756	WScript.exe	30
PID 2756 wrote to memory of 2768	2756	WScript.exe	30
PID 2756 wrote to memory of 2768	2756	WScript.exe	30
PID 2756 wrote to memory of 2744	2756	WScript.exe	31
PID 2756 wrote to memory of 2744	2756	WScript.exe	31
PID 2756 wrote to memory of 2744	2756	WScript.exe	31
PID 2072 wrote to memory of 660	2072	taskeng.exe	40
PID 2072 wrote to memory of 660	2072	taskeng.exe	40
PID 2072 wrote to memory of 660	2072	taskeng.exe	40
PID 660 wrote to memory of 1968	660	WScript.exe	41
PID 660 wrote to memory of 1968	660	WScript.exe	41
PID 660 wrote to memory of 1968	660	WScript.exe	41
PID 660 wrote to memory of 2016	660	WScript.exe	42
PID 660 wrote to memory of 2016	660	WScript.exe	42
PID 660 wrote to memory of 2016	660	WScript.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CC051000007401.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HwuuOCwVXt.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2768
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\CC051000007401.vbs
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2744

C:\Windows\system32\taskeng.exe
taskeng.exe {D3073B4C-FA42-4D16-ADC7-B17782963368} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CC051000007401.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HwuuOCwVXt.vbs"
    3⤵
    PID:1968
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\CC051000007401.vbs
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CC051000007401.vbs

Filesize
44KB

MD5
bfb1a7641288bf047bf8f8d403f3b138

SHA1
b5ddaa8db4a2d33bd5fa46f70ffe2893612652ee

SHA256
d16b502ff0b1413b19a22a39888f1f0ac6f42eede611b5c4b7d004802a814c9d

SHA512
ca92f671e3debfaaa64cb284821f0886b7faa7b6d0fced6476ab889d3a2373936bfefd0e5feef11ececd943eec5bb1c745a68ca61c1ef4480cc5c526a011a9f7

Download Submit
C:\Users\Admin\AppData\Roaming\HwuuOCwVXt.vbs

Filesize
20KB

MD5
2bc142422db72367ed567ea9116180a5

SHA1
53550f445137268bc50a725ab17875972252974d

SHA256
0706faee2b62be8c4ddcfea421a9c0d1e5fb518c809a8cdc60f688a3de911d1a

SHA512
7739c96f1b9da1445a49ba83f7ae725fbbe45df72c3972bc21174630d415d48c831749e43a210685cae80f3970fc664e8b904f9d98a10a2cd1ae5d5c14517113

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads