vjw0rm | b6f728eff35bdc68e244a1925e4461293d9dcdbf18b4cd1a5706cb0d54e26106

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6.js
Size

124KB
MD5

18765c6b1a20d6d90603230bca72c903
SHA1

874af995240ebd57aef18e00fcaa0f0f43583b85
SHA256

04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6
SHA512

3c58a98356b3b051797477d1e10cf2f469bed924d97edcd411b98c92436d4e3b4b91e650a0828583092ead6abd755bfdd641b95b4e0ed4e0e9ed75656ab0a5d5
SSDEEP

1536:pvqEkqX412OE9j/dQM66R7f5/1f1tFQfQ3sVZHFimHTalEtYKO/u/5/gQZVFX30M:Fp/dQM66PB10p0mHTQuWuDDPf5YcsEd

Score

10^/10

vjw0rm execution persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Vjw0rm family
vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roNMkdClhb.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roNMkdClhb.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0WENLYRIM2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\roNMkdClhb.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1892	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 1732	4688	wscript.exe	83
PID 4688 wrote to memory of 1732	4688	wscript.exe	83
PID 4688 wrote to memory of 1892	4688	wscript.exe	85
PID 4688 wrote to memory of 1892	4688	wscript.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\roNMkdClhb.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1732
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\04094fa56fe4dc175f9dc4ca63918638ca99b32b4de44fc21f14d5f5122016f6.js
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\roNMkdClhb.js

Filesize
43KB

MD5
c7510446ac13d68ff1f041bebc605c7e

SHA1
5c35a25e7c547fadd03ff9da65b6f6afbb96fbd3

SHA256
d23f1d91a92c1c0730cef2255a8343246fac4ae8f090fca71d823aa368a19736

SHA512
04df165a56f675d32ba113a8a989c208a5954a016bf780912a2c1b9dc1951afa746f97beacb480b94889da63baea9211066d93cf2d1342d1615e936d8ccaaa30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads