vjw0rm | 85daaa8ff4820b98c0d1471ed68ab675f2fea97f4d6f6f48a951b4344b9c2b38

General

Target

New Price List For DStv&GOtv.pdf.jar
Size

189KB
MD5

b1d6eafab8240680ef96194944ce3801
SHA1

a9b312e682e43b28d28faf6b66c903ba12dfecf5
SHA256

85daaa8ff4820b98c0d1471ed68ab675f2fea97f4d6f6f48a951b4344b9c2b38
SHA512

af2daaccce5c601f4dae45ea51113eb85cb86b055dbba22bfaf131200c5ecf4f29ff66c42ae7bb1d9d6fd893cb715f1c77734f211f296ef91f98c5fa0ac37cf2

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exe

flow	pid	process
14	764	WScript.exe
15	764	WScript.exe
24	764	WScript.exe
27	764	WScript.exe
28	764	WScript.exe
31	764	WScript.exe
32	764	WScript.exe
33	764	WScript.exe
34	764	WScript.exe
37	764	WScript.exe
38	764	WScript.exe
39	764	WScript.exe
40	764	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJBcFWZNgk.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJBcFWZNgk.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\OJBcFWZNgk.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeSystemtimePrivilege	1672	svchost.exe
Token: SeSystemtimePrivilege	1672	svchost.exe
Token: SeIncBasePriorityPrivilege	1672	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 2520 wrote to memory of 1424	2520	java.exe	wscript.exe
PID 2520 wrote to memory of 1424	2520	java.exe	wscript.exe
PID 1424 wrote to memory of 764	1424	wscript.exe	WScript.exe
PID 1424 wrote to memory of 764	1424	wscript.exe	WScript.exe
PID 1424 wrote to memory of 1432	1424	wscript.exe	javaw.exe
PID 1424 wrote to memory of 1432	1424	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\New Price List For DStv&GOtv.pdf.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\_output.js
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:764

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mvfvhnkswy.txt"
3⤵
- Drops file in Program Files directory
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
9bb08a6bc36bab5b2038e24d670e1977

SHA1
c4be6325724f286f7ac00b9eb31b65d6644695cc

SHA256
fb05185b9ecb495c85740e03ace07e68662fd290c3b9d251858e2b4f7335d31d

SHA512
4ce8204cf54d5bb0c9106d03a296dfb832319c3d8a6226429557be45508fe1856dea2be523f9b5595c1d8130a65c9c0a73a566a52fbc0c2d98bb68494f65941e

Download Submit
C:\Users\Admin\AppData\Roaming\OJBcFWZNgk.js
MD5
fc0cb1ff890aa7f09fd3bd3827af0b87

SHA1
5526d64b92cd11fb1d1eb0f0576a921886375a66

SHA256
9e2ef6055a292ce2d36436c0e63cb73ea350fe9eadb1fe94c277574f71554100

SHA512
2dbe53b6aee7f70b37ae9561c0cb9f91be6e676d23fbba17f8c79a29f2a4f421463115bf9bef379da985592cfd39e6ec548564d331b3914bc3cc4d6e68a47adf

Download Submit
C:\Users\Admin\AppData\Roaming\mvfvhnkswy.txt
MD5
b3acd757ecc865d9d1cc5f0d28e7c1cd

SHA1
21fc24e2f164d12901e9e03473c3b9937d769f29

SHA256
ba6ee4d1e97961b7fe05f41b9ea98a1c4fc10ff77eb43fd9d8ca47a24ec7a692

SHA512
c79a895adbcf1bb699af6aa2353b5bf6fe0ac46a1d7db556a60e7b2efd7effc63c9963b97ae70d5279e90a490bf32af046e3109b83d5c9ef946e94ee57ce179e

Download Submit
C:\Users\Admin\_output.js
MD5
76a2ee18308c8a93a01c9f081ef8ed45

SHA1
afe25ab310a108bed28201113bf9421c5e8a08a7

SHA256
f1ba647a42b3672fd5ec98e21a38eacdb7e96f6a6e5ad30cb0dfcb0d8173d5fa

SHA512
ddff9f779d911c025ba804237421844dacaadd30243b0b591e928e8e00b574b95f711bee7a631a8be04bc34b8b751c253cf07ef80abed55c90bbab0d8f63fe92

Download Submit
memory/1432-138-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1432-142-0x0000000002E10000-0x0000000011F10000-memory.dmp

Filesize
241.0MB

Download
memory/2520-131-0x0000000002D40000-0x0000000011E40000-memory.dmp

Filesize
241.0MB

Download
memory/2520-132-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads