vjw0rm | ec94a85166da6bff3051c6960ff02eb964ed676d15a7d426b4a075c32d892a70

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 17:30

Target

JaffaCakes118_70248b64f0da47a78531964998bd071a.js
Size

3KB
MD5

70248b64f0da47a78531964998bd071a
SHA1

761b6341377def95d8558e806e6516b4548f8566
SHA256

ec94a85166da6bff3051c6960ff02eb964ed676d15a7d426b4a075c32d892a70
SHA512

e098e34bc1fdaed9b8e4c85699a2352344848bdf11e6590c8fdff22b489744e30bddebefd5e34b394ac5a0db50f725b281bf2907a542dbd0e1ee6bbf3e5f5215

Score

10^/10

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Vjw0rm family
vjw0rm

Blocklisted process makes network request 6 IoCs

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_70248b64f0da47a78531964998bd071a.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_70248b64f0da47a78531964998bd071a.js	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\0OZMEL5YCB = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_70248b64f0da47a78531964998bd071a.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
2100	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2100	1960	wscript.exe	31
PID 1960 wrote to memory of 2100	1960	wscript.exe	31
PID 1960 wrote to memory of 2100	1960	wscript.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70248b64f0da47a78531964998bd071a.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70248b64f0da47a78531964998bd071a.js
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2100