vjw0rm | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13

General

Target

JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
Size

45KB
MD5

8c7d90878061ce94f70b41a3d2678379
SHA1

7d08d5be9c64a49ccfeeb14aee806cb017d941db
SHA256

d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13
SHA512

e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792
SSDEEP

768:klrIxmyrDR0WEMKsy+iBPkIaZfO0WGX3FTFcBMENYP:klCNrDuWEMKsyxPkIaZf+Q3bcBMEN+

Score

10^/10

vjw0rm execution persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Vjw0rm family
vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
11	2496	wscript.exe
20	2496	wscript.exe
29	2496	wscript.exe
41	2496	wscript.exe
49	2496	wscript.exe
58	2496	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2428	2680	wscript.exe	30
PID 2680 wrote to memory of 2428	2680	wscript.exe	30
PID 2680 wrote to memory of 2428	2680	wscript.exe	30
PID 2680 wrote to memory of 2496	2680	wscript.exe	31
PID 2680 wrote to memory of 2496	2680	wscript.exe	31
PID 2680 wrote to memory of 2496	2680	wscript.exe	31
PID 2496 wrote to memory of 2876	2496	wscript.exe	32
PID 2496 wrote to memory of 2876	2496	wscript.exe	32
PID 2496 wrote to memory of 2876	2496	wscript.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2428
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js

Filesize
45KB

MD5
8c7d90878061ce94f70b41a3d2678379

SHA1
7d08d5be9c64a49ccfeeb14aee806cb017d941db

SHA256
d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13

SHA512
e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792

Download Submit
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js

Filesize
8KB

MD5
b1723af127d01881617d42e94db1a187

SHA1
02e312b6a5a1c47baa9dda51a2d887bda2a41d34

SHA256
1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3

SHA512
5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads