Malware Analysis Report

2025-06-16 01:02

Sample ID 220121-rqp44saadm
Target Order confirmation.jar
SHA256 febb815216146ce5b082e909f7ee36a07f2692201b36671fa0f3c73eb7cd407d
Tags
strrat vjw0rm persistence stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

febb815216146ce5b082e909f7ee36a07f2692201b36671fa0f3c73eb7cd407d

Threat Level: Known bad

The file Order confirmation.jar was found to be: Known bad.

Malicious Activity Summary

strrat vjw0rm persistence stealer trojan worm

STRRAT

Vjw0rm

Blocklisted process makes network request

Loads dropped DLL

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 14:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 14:24

Reported

2022-01-21 14:26

Platform

win7-en-20211208

Max time kernel

152s

Max time network

152s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\Order confirmation.jar"

Signatures

STRRAT

trojan stealer strrat

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSCicdEDwo.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSCicdEDwo.js C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\YSCicdEDwo.js\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 1488 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 740 wrote to memory of 1488 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 740 wrote to memory of 1488 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1488 wrote to memory of 364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1488 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1488 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2008 wrote to memory of 1736 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2008 wrote to memory of 1736 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2008 wrote to memory of 1736 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1736 wrote to memory of 1056 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1736 wrote to memory of 1056 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1736 wrote to memory of 1056 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1056 wrote to memory of 540 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 540 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 540 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 540 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 540 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 540 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1056 wrote to memory of 1092 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1092 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1092 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1092 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1092 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1056 wrote to memory of 984 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 984 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 984 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 984 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 984 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 984 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1056 wrote to memory of 1160 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1160 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1160 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\Order confirmation.jar"

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\_output.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YSCicdEDwo.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hrrtmf.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\hrrtmf.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\hrrtmf.txt"

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.114.3:443 github.com tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
US 8.8.8.8:53 str-master.pw udp
DE 142.93.110.250:80 str-master.pw tcp
US 45.61.168.73:1090 tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp

Files

memory/740-54-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

memory/740-57-0x00000000022C0000-0x00000000052C0000-memory.dmp

memory/740-56-0x0000000000330000-0x0000000000331000-memory.dmp

C:\Users\Admin\_output.js

MD5 8d3a6602c21805395d12c3712c1e7eaa
SHA1 2dc49b07056930e608799f38a4c78e247623b2b3
SHA256 c87454bab7bc5683186ce9afff2ced7e58a4955911e56ef3ac1283555b39a218
SHA512 3c5476d54372776033104004fcd7833b4125a19168223e966a7187ef3f4020b0cb3b1d656b6a23bc7cba0801f9eb2fc50ec381b8a1102aac7f46c07ea22d54cf

C:\Users\Admin\AppData\Roaming\YSCicdEDwo.js

MD5 07df1f1d44fde366841620d62f88d83d
SHA1 44a71832acc273a1678352e9ec5c33855adf7e5a
SHA256 149e43aa8d8f40466b42489a7a89b692a417d9c1aeb8b7df96fb6250a79985fd
SHA512 5f93d67db06ce31b73bc25d7eb4b9d4c1420e03e9fcb99ca4cfc43f4ec7494e6aca8aecd55820c88108769c93f00ac7b59d4d28fa1aefc2e83cd148ba4863446

C:\Users\Admin\AppData\Roaming\hrrtmf.txt

MD5 3d2c02536aaeb4dc10298146abdbc056
SHA1 114a6aee5200a6984d63024c922e215e25e73460
SHA256 597f4324ca85f66e721e510426476bdef515cddff403629e8bdc7add6a7d479e
SHA512 0e4b8ebbe11a53e7e903e0da9a0c7962d34b34ceff669b1c0145c4e0074afe40d9ba3cfd9d82659b772ac213dbcc0b5be6646efb2c211dec397eab6202b66bfc

memory/2008-65-0x0000000002020000-0x0000000005020000-memory.dmp

memory/2008-66-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2008-67-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2008-73-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2008-93-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2008-96-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2008-113-0x0000000000310000-0x0000000000311000-memory.dmp

C:\Users\Admin\hrrtmf.txt

MD5 3d2c02536aaeb4dc10298146abdbc056
SHA1 114a6aee5200a6984d63024c922e215e25e73460
SHA256 597f4324ca85f66e721e510426476bdef515cddff403629e8bdc7add6a7d479e
SHA512 0e4b8ebbe11a53e7e903e0da9a0c7962d34b34ceff669b1c0145c4e0074afe40d9ba3cfd9d82659b772ac213dbcc0b5be6646efb2c211dec397eab6202b66bfc

C:\Users\Admin\lib\system-hook-3.5.jar

MD5 e1aa38a1e78a76a6de73efae136cdb3a
SHA1 c463da71871f780b2e2e5dba115d43953b537daf
SHA256 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512 fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3846991908-3261386348-1409841751-1000\83aa4cc77f591dfc2374580bbd95f6ba_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

C:\Users\Admin\lib\jna-platform-5.5.0.jar

MD5 2f4a99c2758e72ee2b59a73586a2322f
SHA1 af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA256 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512 b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

C:\Users\Admin\lib\jna-5.5.0.jar

MD5 acfb5b5fd9ee10bf69497792fd469f85
SHA1 0e0845217c4907822403912ad6828d8e0b256208
SHA256 b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512 e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

memory/1736-170-0x0000000001CF0000-0x00000000051E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\jna-63116079\jna7926425829467462927.dll

MD5 e02979ecd43bcc9061eb2b494ab5af50
SHA1 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256 a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA512 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

MD5 b33387e15ab150a7bf560abdc73c3bec
SHA1 66b8075784131f578ef893fd7674273f709b9a4c
SHA256 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA512 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

C:\Users\Admin\AppData\Roaming\hrrtmf.txt

MD5 3d2c02536aaeb4dc10298146abdbc056
SHA1 114a6aee5200a6984d63024c922e215e25e73460
SHA256 597f4324ca85f66e721e510426476bdef515cddff403629e8bdc7add6a7d479e
SHA512 0e4b8ebbe11a53e7e903e0da9a0c7962d34b34ceff669b1c0145c4e0074afe40d9ba3cfd9d82659b772ac213dbcc0b5be6646efb2c211dec397eab6202b66bfc

memory/1056-183-0x00000000022F0000-0x00000000052F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

MD5 2f4a99c2758e72ee2b59a73586a2322f
SHA1 af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA256 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512 b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

MD5 acfb5b5fd9ee10bf69497792fd469f85
SHA1 0e0845217c4907822403912ad6828d8e0b256208
SHA256 b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512 e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna7926425829467462927.dll

MD5 e02979ecd43bcc9061eb2b494ab5af50
SHA1 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256 a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA512 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

MD5 e1aa38a1e78a76a6de73efae136cdb3a
SHA1 c463da71871f780b2e2e5dba115d43953b537daf
SHA256 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512 fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

\Users\Admin\AppData\Local\Temp\jna-63116079\jna3677578233119891371.dll

MD5 e02979ecd43bcc9061eb2b494ab5af50
SHA1 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256 a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA512 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

MD5 b33387e15ab150a7bf560abdc73c3bec
SHA1 66b8075784131f578ef893fd7674273f709b9a4c
SHA256 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA512 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-21 14:24

Reported

2022-01-21 14:26

Platform

win10-en-20211208

Max time kernel

149s

Max time network

153s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\Order confirmation.jar"

Signatures

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSCicdEDwo.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSCicdEDwo.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\YSCicdEDwo.js\"" C:\Windows\System32\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings C:\Windows\SYSTEM32\wscript.exe N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\Order confirmation.jar"

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\_output.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YSCicdEDwo.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qzlxoxjgy.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp
EE 91.193.75.133:5002 macjoe597.duia.ro tcp

Files

memory/2480-116-0x00000000029A0000-0x0000000011AA0000-memory.dmp

memory/2480-117-0x0000000000C40000-0x0000000000C41000-memory.dmp

C:\Users\Admin\_output.js

MD5 8d3a6602c21805395d12c3712c1e7eaa
SHA1 2dc49b07056930e608799f38a4c78e247623b2b3
SHA256 c87454bab7bc5683186ce9afff2ced7e58a4955911e56ef3ac1283555b39a218
SHA512 3c5476d54372776033104004fcd7833b4125a19168223e966a7187ef3f4020b0cb3b1d656b6a23bc7cba0801f9eb2fc50ec381b8a1102aac7f46c07ea22d54cf

C:\Users\Admin\AppData\Roaming\YSCicdEDwo.js

MD5 07df1f1d44fde366841620d62f88d83d
SHA1 44a71832acc273a1678352e9ec5c33855adf7e5a
SHA256 149e43aa8d8f40466b42489a7a89b692a417d9c1aeb8b7df96fb6250a79985fd
SHA512 5f93d67db06ce31b73bc25d7eb4b9d4c1420e03e9fcb99ca4cfc43f4ec7494e6aca8aecd55820c88108769c93f00ac7b59d4d28fa1aefc2e83cd148ba4863446

C:\Users\Admin\AppData\Roaming\qzlxoxjgy.txt

MD5 3d2c02536aaeb4dc10298146abdbc056
SHA1 114a6aee5200a6984d63024c922e215e25e73460
SHA256 597f4324ca85f66e721e510426476bdef515cddff403629e8bdc7add6a7d479e
SHA512 0e4b8ebbe11a53e7e903e0da9a0c7962d34b34ceff669b1c0145c4e0074afe40d9ba3cfd9d82659b772ac213dbcc0b5be6646efb2c211dec397eab6202b66bfc

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 5cf481508461e7e478cae99d71d17ee2
SHA1 319eb173c61a8f9e35d138928fc6f7810ee800ee
SHA256 17962cfbbe92156b0a113bbfca0be31edffafa5d119d105dfee553ce9c82e359
SHA512 46507a65522754d3574d1f3e1b49348260e0a0c25be854ce827fef46db29e19084d7c412c0753e5e09754b82992fa941dc862221bd5e2b9fae8a7381df6ed680

memory/368-256-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/368-258-0x0000000002E10000-0x0000000011F10000-memory.dmp

memory/368-266-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/368-267-0x0000000002E10000-0x0000000011F10000-memory.dmp