vjw0rm | c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616

Analysis

max time kernel
15s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JUSTIFICANTES PAGO.jar
Size

637KB
MD5

a74e3c57306dc12d60d0deadecaf161c
SHA1

97dee2433ae1eba49ac89fd43dc3a85bbee8c81f
SHA256

c76b5ae3a1a90382ad79314fc98f1c4b3ce81e640e0f0826930836f3a82a7616
SHA512

17c3b182df76d724920e86d2b83b254427e02a9c5844586993a59f6cd15defd5e0bcc29c6064721bf7b47bf2ca85ac42c90f499c655092f8cda426fc5836277c

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 4148 wrote to memory of 4364	4148	java.exe	wscript.exe
PID 4148 wrote to memory of 4364	4148	java.exe	wscript.exe
PID 4364 wrote to memory of 1716	4364	wscript.exe	WScript.exe
PID 4364 wrote to memory of 1716	4364	wscript.exe	WScript.exe
PID 4364 wrote to memory of 1516	4364	wscript.exe	javaw.exe
PID 4364 wrote to memory of 1516	4364	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTES PAGO.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\jyahaoabcs.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:1716
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vdnlymlf.txt"
    3⤵
    PID:1516
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.41619015268894055441137407019372481.class
      4⤵
      PID:4920
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8200037178742593296.vbs
        5⤵
        
        PID:1616
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8200037178742593296.vbs
        6⤵
        
        PID:396
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1117534342202979438.vbs
        5⤵
        
        PID:3428
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1117534342202979438.vbs
        6⤵
        
        PID:1156
    - - C:\Windows\SYSTEM32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:4540
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5902589436429825859.vbs
      4⤵
      PID:3204
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5902589436429825859.vbs
        5⤵
        
        PID:3804
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1552832669937385789.vbs
      4⤵
      PID:1948
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1552832669937385789.vbs
        5⤵
        
        PID:3452
  - - C:\Windows\SYSTEM32\xcopy.exe
      xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
af1af511f8cc0fb1c672c4e4c711edcb

SHA1
c2a020782b66cef312ad79f4038aa7c75f4cbfef

SHA256
e3a0b19da0c79e26688f5dad42935259020ada6e283b0a80e8b46b5fe9e20c57

SHA512
23dd0bbf36ef03c555c51a0361c5fdda3825b9a0dba33471a8de8334e9091e7986bd9ca48393c6642af8aedc72671cea013b122e5b7642e204ab9690f0525e5b

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
6f01300357a781e1455b3fb138e3d3ce

SHA1
b276387d9a00c28f4f95a9cf7913bd0309d0345a

SHA256
ad8f3840d5b4a59b1fcf81fe38df30b1b752eaaa5aa7565828a193bead9690fe

SHA512
90274e6ad3820e16d976f18d28b282ccad129caa246f4ffd9a9e1cc2f9e3f603097cd21082170b24b73d8b5c5cd3daf566f5151224dfa9adf24e1ef445a44f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1117534342202979438.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1552832669937385789.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5902589436429825859.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8200037178742593296.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.41619015268894055441137407019372481.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\vdnlymlf.txt

Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js

Filesize
24KB

MD5
9cb94db4ae02bd253f2a41995076f5d2

SHA1
51ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1

SHA256
16288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec

SHA512
f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161

Download Submit
C:\Users\Admin\jyahaoabcs.js

Filesize
953KB

MD5
b0858d86fb22aa01d7ad40ef5ab0b069

SHA1
6c6c7a2f34149a8702d2ae401294291d38c064a0

SHA256
0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0

SHA512
980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6

Download Submit
memory/396-189-0x0000000000000000-mapping.dmp

Download
memory/1156-196-0x0000000000000000-mapping.dmp

Download
memory/1516-191-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/1516-180-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/1516-157-0x0000000002E50000-0x0000000003E50000-memory.dmp

Filesize
16.0MB

Download
memory/1516-145-0x0000000000000000-mapping.dmp

Download
memory/1616-188-0x0000000000000000-mapping.dmp

Download
memory/1716-143-0x0000000000000000-mapping.dmp

Download
memory/1948-195-0x0000000000000000-mapping.dmp

Download
memory/3204-186-0x0000000000000000-mapping.dmp

Download
memory/3428-194-0x0000000000000000-mapping.dmp

Download
memory/3452-198-0x0000000000000000-mapping.dmp

Download
memory/3804-190-0x0000000000000000-mapping.dmp

Download
memory/4148-134-0x0000000003190000-0x0000000004190000-memory.dmp

Filesize
16.0MB

Download
memory/4364-140-0x0000000000000000-mapping.dmp

Download
memory/4540-202-0x0000000000000000-mapping.dmp

Download
memory/4920-187-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4920-170-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/4920-158-0x0000000000000000-mapping.dmp

Download
memory/4920-200-0x0000000002950000-0x0000000003950000-memory.dmp

Filesize
16.0MB

Download
memory/5088-201-0x0000000000000000-mapping.dmp

Download