vjw0rm | 0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0

General

Target

jyahaoabcs.js
Size

953KB
MD5

b0858d86fb22aa01d7ad40ef5ab0b069
SHA1

6c6c7a2f34149a8702d2ae401294291d38c064a0
SHA256

0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0
SHA512

980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 64 IoCs

Processes:

WScript.exe

flow	pid	process
2	3040	WScript.exe
4	3040	WScript.exe
5	3040	WScript.exe
7	3040	WScript.exe
11	3040	WScript.exe
12	3040	WScript.exe
13	3040	WScript.exe
14	3040	WScript.exe
15	3040	WScript.exe
16	3040	WScript.exe
17	3040	WScript.exe
18	3040	WScript.exe
19	3040	WScript.exe
20	3040	WScript.exe
21	3040	WScript.exe
22	3040	WScript.exe
23	3040	WScript.exe
24	3040	WScript.exe
25	3040	WScript.exe
26	3040	WScript.exe
27	3040	WScript.exe
28	3040	WScript.exe
29	3040	WScript.exe
30	3040	WScript.exe
31	3040	WScript.exe
32	3040	WScript.exe
33	3040	WScript.exe
34	3040	WScript.exe
35	3040	WScript.exe
36	3040	WScript.exe
37	3040	WScript.exe
38	3040	WScript.exe
39	3040	WScript.exe
40	3040	WScript.exe
41	3040	WScript.exe
46	3040	WScript.exe
47	3040	WScript.exe
48	3040	WScript.exe
49	3040	WScript.exe
50	3040	WScript.exe
51	3040	WScript.exe
52	3040	WScript.exe
55	3040	WScript.exe
56	3040	WScript.exe
57	3040	WScript.exe
58	3040	WScript.exe
59	3040	WScript.exe
60	3040	WScript.exe
61	3040	WScript.exe
62	3040	WScript.exe
63	3040	WScript.exe
64	3040	WScript.exe
65	3040	WScript.exe
66	3040	WScript.exe
67	3040	WScript.exe
68	3040	WScript.exe
69	3040	WScript.exe
70	3040	WScript.exe
71	3040	WScript.exe
72	3040	WScript.exe
73	3040	WScript.exe
74	3040	WScript.exe
75	3040	WScript.exe
76	3040	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\""	WScript.exe

Drops file in Program Files directory 24 IoCs

Processes:

java.exejavaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 3708 wrote to memory of 3040	3708	wscript.exe	WScript.exe
PID 3708 wrote to memory of 3040	3708	wscript.exe	WScript.exe
PID 3708 wrote to memory of 4332	3708	wscript.exe	javaw.exe
PID 3708 wrote to memory of 4332	3708	wscript.exe	javaw.exe
PID 4332 wrote to memory of 4700	4332	javaw.exe	java.exe
PID 4332 wrote to memory of 4700	4332	javaw.exe	java.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jyahaoabcs.js
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3040

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ckmcyrpf.txt"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4332

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.44692350648420218561336289143621866.class
3⤵
- Drops file in Program Files directory
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
083101c35e753ff5378d32e36afcae04

SHA1
ce95fbce6c87fbaad41e3cb86c3cf7f9beab693e

SHA256
8d48cfef823bd98316515efa36f4f03c4ddefcd3814d7ef3302c522a5a10945d

SHA512
de02bfbad16facbf6cd160cf2091110d0909a4ae7d1f01af1a7af9bf27e84ed7a2ad735796bc7a284d6c8d0eb7987e92a4b631d961e0e9e112d53cc366f9d9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.44692350648420218561336289143621866.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4236190499-842014725-259441995-1000\83aa4cc77f591dfc2374580bbd95f6ba_99ef72a1-556b-4cb4-bc70-9c60abc7d0ea
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\ckmcyrpf.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js
Filesize
24KB

MD5
9cb94db4ae02bd253f2a41995076f5d2

SHA1
51ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1

SHA256
16288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec

SHA512
f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161

Download Submit
memory/3040-117-0x0000000000000000-mapping.dmp

Download
memory/4332-118-0x0000000000000000-mapping.dmp

Download
memory/4332-125-0x0000000002710000-0x0000000003710000-memory.dmp

Filesize
16.0MB

Download
memory/4332-151-0x0000000002710000-0x0000000003710000-memory.dmp

Filesize
16.0MB

Download
memory/4700-131-0x0000000000000000-mapping.dmp

Download
memory/4700-142-0x0000000002940000-0x0000000003940000-memory.dmp

Filesize
16.0MB

Download
memory/4700-150-0x0000000002940000-0x0000000003940000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads