vjw0rm | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13

General

Target

JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
Size

45KB
MD5

8c7d90878061ce94f70b41a3d2678379
SHA1

7d08d5be9c64a49ccfeeb14aee806cb017d941db
SHA256

d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13
SHA512

e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792
SSDEEP

768:klrIxmyrDR0WEMKsy+iBPkIaZfO0WGX3FTFcBMENYP:klCNrDuWEMKsyxPkIaZf+Q3bcBMEN+

Score

10^/10

vjw0rm execution persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Vjw0rm family
vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	2680	wscript.exe
30	2680	wscript.exe
48	2680	wscript.exe
55	2680	wscript.exe
65	2680	wscript.exe
70	2680	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 956	2444	wscript.exe	81
PID 2444 wrote to memory of 956	2444	wscript.exe	81
PID 2444 wrote to memory of 2680	2444	wscript.exe	82
PID 2444 wrote to memory of 2680	2444	wscript.exe	82
PID 2680 wrote to memory of 2980	2680	wscript.exe	84
PID 2680 wrote to memory of 2980	2680	wscript.exe	84

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:956
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JaffaCakes118_8c7d90878061ce94f70b41a3d2678379.js

Filesize
45KB

MD5
8c7d90878061ce94f70b41a3d2678379

SHA1
7d08d5be9c64a49ccfeeb14aee806cb017d941db

SHA256
d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13

SHA512
e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792

Download Submit
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js

Filesize
8KB

MD5
b1723af127d01881617d42e94db1a187

SHA1
02e312b6a5a1c47baa9dda51a2d887bda2a41d34

SHA256
1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3

SHA512
5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads