vjw0rm | c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616

General

Target

PAGO.jar
Size

637KB
MD5

a74e3c57306dc12d60d0deadecaf161c
SHA1

97dee2433ae1eba49ac89fd43dc3a85bbee8c81f
SHA256

c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616
SHA512

17c3b182df76d724920e86d2b83b254427e02a9c5844586993a59f6cd15defd5e0bcc29c6064721bf7b47bf2ca85ac42c90f499c655092f8cda426fc5836277c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 12 IoCs

Processes:

WScript.exe

flow	pid	process
4	1768	WScript.exe
6	1768	WScript.exe
7	1768	WScript.exe
9	1768	WScript.exe
10	1768	WScript.exe
11	1768	WScript.exe
13	1768	WScript.exe
14	1768	WScript.exe
15	1768	WScript.exe
17	1768	WScript.exe
18	1768	WScript.exe
19	1768	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 872 wrote to memory of 1732	872	java.exe	wscript.exe
PID 872 wrote to memory of 1732	872	java.exe	wscript.exe
PID 872 wrote to memory of 1732	872	java.exe	wscript.exe
PID 1732 wrote to memory of 1768	1732	wscript.exe	WScript.exe
PID 1732 wrote to memory of 1768	1732	wscript.exe	WScript.exe
PID 1732 wrote to memory of 1768	1732	wscript.exe	WScript.exe
PID 1732 wrote to memory of 1428	1732	wscript.exe	javaw.exe
PID 1732 wrote to memory of 1428	1732	wscript.exe	javaw.exe
PID 1732 wrote to memory of 1428	1732	wscript.exe	javaw.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PAGO.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\jyahaoabcs.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1768

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fchjlxrt.txt"
3⤵
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fchjlxrt.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js
Filesize
24KB

MD5
9cb94db4ae02bd253f2a41995076f5d2

SHA1
51ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1

SHA256
16288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec

SHA512
f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161

Download Submit
C:\Users\Admin\jyahaoabcs.js
Filesize
953KB

MD5
b0858d86fb22aa01d7ad40ef5ab0b069

SHA1
6c6c7a2f34149a8702d2ae401294291d38c064a0

SHA256
0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0

SHA512
980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6

Download Submit
memory/872-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/872-65-0x00000000020B0000-0x00000000050B0000-memory.dmp

Filesize
48.0MB

Download
memory/1428-70-0x0000000000000000-mapping.dmp

Download
memory/1428-83-0x00000000021C0000-0x00000000051C0000-memory.dmp

Filesize
48.0MB

Download
memory/1428-85-0x00000000021C0000-0x00000000051C0000-memory.dmp

Filesize
48.0MB

Download
memory/1732-64-0x0000000000000000-mapping.dmp

Download
memory/1768-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads