vjw0rm | c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616

Analysis

max time kernel
34s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-06-2022 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAGO.jar
Size

637KB
MD5

a74e3c57306dc12d60d0deadecaf161c
SHA1

97dee2433ae1eba49ac89fd43dc3a85bbee8c81f
SHA256

c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616
SHA512

17c3b182df76d724920e86d2b83b254427e02a9c5844586993a59f6cd15defd5e0bcc29c6064721bf7b47bf2ca85ac42c90f499c655092f8cda426fc5836277c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

16 3924 WScript.exe

flow	pid	process
16	3924	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.exewscript.exejavaw.exe

description	pid	process	target process
PID 528 wrote to memory of 4116	528	java.exe	wscript.exe
PID 528 wrote to memory of 4116	528	java.exe	wscript.exe
PID 4116 wrote to memory of 3924	4116	wscript.exe	WScript.exe
PID 4116 wrote to memory of 3924	4116	wscript.exe	WScript.exe
PID 4116 wrote to memory of 4584	4116	wscript.exe	javaw.exe
PID 4116 wrote to memory of 4584	4116	wscript.exe	javaw.exe
PID 4584 wrote to memory of 4056	4584	javaw.exe	java.exe
PID 4584 wrote to memory of 4056	4584	javaw.exe	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PAGO.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\jyahaoabcs.js
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3924

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\yunkaqgcr.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.68790091747807075494916774673852204.class
4⤵
PID:4056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7958714061420353250.vbs
5⤵
PID:1708

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7958714061420353250.vbs
6⤵
PID:4776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2248412979110948191.vbs
5⤵
PID:1216

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2248412979110948191.vbs
6⤵
PID:1108

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
5⤵
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
0e02124b014be52f3a301eb8a75f9559

SHA1
fffc10826cbe2b78a78409715c39eaa1ef157b5c

SHA256
3ab56016eddc0cc7739760bcaf3b8ad19e4303e43c28ceb202ff2696780b9c7d

SHA512
1a9a7d3fb0ebbf6a62e51a1bb0e3eb95d41fc4bfac715f168a358e71bd0d288e3d57ac67812877947987c3166c4ca05fc8cf5b670c69ae736fc3c348f2b407de

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
cdf602f998625ddd884cdd5da581af04

SHA1
1b1ee1081990f74e01db8268f03d77700160093d

SHA256
542d258006d1103314964557527c478b2abdceec49e9c70cfd063865929fe4b0

SHA512
3c3161258eb97e7eb09de72a082d7aee38f57dfdcbe6fed0d9b8182eeb7c4f398087b1ed536d2db3294e32378b0cc5e18b406226f4415d8545536ff61edb749c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive2248412979110948191.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7958714061420353250.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.68790091747807075494916774673852204.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1081944012-3634099177-1681222835-1000\83aa4cc77f591dfc2374580bbd95f6ba_20e30e2f-4677-4eb9-89e6-7dd1fd044635
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js
Filesize
24KB

MD5
9cb94db4ae02bd253f2a41995076f5d2

SHA1
51ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1

SHA256
16288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec

SHA512
f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161

Download Submit
C:\Users\Admin\AppData\Roaming\yunkaqgcr.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\jyahaoabcs.js
Filesize
953KB

MD5
b0858d86fb22aa01d7ad40ef5ab0b069

SHA1
6c6c7a2f34149a8702d2ae401294291d38c064a0

SHA256
0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0

SHA512
980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6

Download Submit
memory/528-132-0x0000000002D00000-0x0000000003D00000-memory.dmp

Filesize
16.0MB

Download
memory/1108-190-0x0000000000000000-mapping.dmp

Download
memory/1216-189-0x0000000000000000-mapping.dmp

Download
memory/1708-183-0x0000000000000000-mapping.dmp

Download
memory/3924-143-0x0000000000000000-mapping.dmp

Download
memory/4056-170-0x0000000003160000-0x0000000004160000-memory.dmp

Filesize
16.0MB

Download
memory/4056-181-0x0000000003160000-0x0000000004160000-memory.dmp

Filesize
16.0MB

Download
memory/4056-184-0x0000000003160000-0x0000000004160000-memory.dmp

Filesize
16.0MB

Download
memory/4056-186-0x0000000003160000-0x0000000004160000-memory.dmp

Filesize
16.0MB

Download
memory/4056-158-0x0000000000000000-mapping.dmp

Download
memory/4056-188-0x0000000003160000-0x0000000004160000-memory.dmp

Filesize
16.0MB

Download
memory/4116-140-0x0000000000000000-mapping.dmp

Download
memory/4584-176-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/4584-154-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/4584-145-0x0000000000000000-mapping.dmp

Download
memory/4776-185-0x0000000000000000-mapping.dmp

Download
memory/5104-192-0x0000000000000000-mapping.dmp

Download