vjw0rm | e817bd6a89f5bc3ee448e3c39e5c4739cf010bb815d087ecdd1b5e1f30c04959

General

Target

js-decoded-1.js
Size

346KB
MD5

241d3041e2bb264cf886eff9fc3de24e
SHA1

7f3fe68b0ef727fca62441cff8eea28c5cd51941
SHA256

e817bd6a89f5bc3ee448e3c39e5c4739cf010bb815d087ecdd1b5e1f30c04959
SHA512

078b8f61b2afeefdf283d6e8f6b33986fc3500788b8d77e7672fc6aae70221ac140d850f91401a3e65a8996f49b4c9babdabac7071d7ea40adc84c62e9bbddc0

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

WScript.exe

flow	pid	process
7	3080	WScript.exe
10	3080	WScript.exe
27	3080	WScript.exe
32	3080	WScript.exe
33	3080	WScript.exe
34	3080	WScript.exe
35	3080	WScript.exe
36	3080	WScript.exe
38	3080	WScript.exe
39	3080	WScript.exe
40	3080	WScript.exe
41	3080	WScript.exe
42	3080	WScript.exe
43	3080	WScript.exe
46	3080	WScript.exe
47	3080	WScript.exe
48	3080	WScript.exe
49	3080	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\IwhBHZSsWd.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 3692 wrote to memory of 3080	3692	wscript.exe	WScript.exe
PID 3692 wrote to memory of 3080	3692	wscript.exe	WScript.exe
PID 3692 wrote to memory of 2072	3692	wscript.exe	javaw.exe
PID 3692 wrote to memory of 2072	3692	wscript.exe	javaw.exe
PID 2072 wrote to memory of 64	2072	javaw.exe	java.exe
PID 2072 wrote to memory of 64	2072	javaw.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js-decoded-1.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IwhBHZSsWd.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3080
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vhlxhgn.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\vhlxhgn.txt"
    3⤵
    - Drops file in Program Files directory
    PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\IwhBHZSsWd.js

MD5
be3598b9ef31862aa34d1b79014c22de

SHA1
4d102790ec4bb3f6c95dc5097355c5f03c27beaf

SHA256
69ffc81cf2305ba7dedc79679eb1929dbdbf9e0a4cd6a53193c0367279750b4c

SHA512
778ad27bedbe8c275a5abdcba6f9a1ba43d8963ca67bbc768265fe6e5dcd380e1c7a191f7471364f5d6c22b1ba954819574f185141c631b2deca53a3ba6f7c01

Download Submit
C:\Users\Admin\AppData\Roaming\vhlxhgn.txt

MD5
4a769959e2ee2785d32ef2161f28cd8b

SHA1
e31b455b90081313e3b7405db3efe1582fe39daa

SHA256
496536d34981fc4155772fe136930ef13cf16116a4df18e6261dd084fce40b21

SHA512
8ef798581834a365f8a7649572c8683e9294cb950917b9c1e9b6ae60bf48b2e4d0e3be312843e398868f31835f276df24f4c5c2b6fb07b654322a8d5351815ca

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\vhlxhgn.txt

MD5
4a769959e2ee2785d32ef2161f28cd8b

SHA1
e31b455b90081313e3b7405db3efe1582fe39daa

SHA256
496536d34981fc4155772fe136930ef13cf16116a4df18e6261dd084fce40b21

SHA512
8ef798581834a365f8a7649572c8683e9294cb950917b9c1e9b6ae60bf48b2e4d0e3be312843e398868f31835f276df24f4c5c2b6fb07b654322a8d5351815ca

Download Submit
memory/64-149-0x0000000000000000-mapping.dmp

Download
memory/64-159-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/64-158-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/64-157-0x0000000002AC0000-0x0000000002D30000-memory.dmp

Filesize
2.4MB

Download
memory/2072-138-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2072-128-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2072-132-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2072-133-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/2072-134-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2072-136-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/2072-135-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2072-137-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2072-120-0x0000000000000000-mapping.dmp

Download
memory/2072-139-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2072-140-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2072-141-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/2072-142-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/2072-144-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/2072-143-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-145-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/2072-147-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2072-146-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2072-148-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2072-129-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2072-130-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2072-127-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/2072-131-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2072-125-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2072-126-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2072-124-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2072-123-0x0000000002710000-0x0000000002980000-memory.dmp

Filesize
2.4MB

Download
memory/2072-122-0x0000000002710000-0x0000000002980000-memory.dmp

Filesize
2.4MB

Download
memory/3080-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads