vjw0rm | c210c36fcfbab3776cbcb918a14a6e633454680e9d7bb4d88b6a3d46082711c7

General

Target

PT.No0021.jar
Size

225KB
MD5

1e0babc6ad2de5834e1972ab0de99249
SHA1

16dda1dd98fb9202efff2f2367f6b9c0740e59ec
SHA256

c210c36fcfbab3776cbcb918a14a6e633454680e9d7bb4d88b6a3d46082711c7
SHA512

98855427cd5e275c88004b5dce8614ea283ad32d11e6c6ed03680939c884c34b608505be964cf66d0bf00c00c424b66e07c4eef185ae00cbc450cbbdc9323ebd
SSDEEP

6144:uMojbC0sFaSqVC0T9Hk18DemQ+EioNY+moVo:Uj+0mas0JxemPEiYVVo

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 14 IoCs

Processes:

WScript.exe

flow	pid	process
16	3364	WScript.exe
30	3364	WScript.exe
48	3364	WScript.exe
49	3364	WScript.exe
53	3364	WScript.exe
59	3364	WScript.exe
60	3364	WScript.exe
61	3364	WScript.exe
62	3364	WScript.exe
63	3364	WScript.exe
64	3364	WScript.exe
65	3364	WScript.exe
66	3364	WScript.exe
67	3364	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IBGiwwfJWX.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IBGiwwfJWX.js	WScript.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 4884 wrote to memory of 5072	4884	java.exe	wscript.exe
PID 4884 wrote to memory of 5072	4884	java.exe	wscript.exe
PID 5072 wrote to memory of 3364	5072	wscript.exe	WScript.exe
PID 5072 wrote to memory of 3364	5072	wscript.exe	WScript.exe
PID 5072 wrote to memory of 4376	5072	wscript.exe	javaw.exe
PID 5072 wrote to memory of 4376	5072	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PT.No0021.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\mtccpdtqby.js
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IBGiwwfJWX.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:3364

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zmfqlmhm.txt"
3⤵
- Drops file in Program Files directory
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
a8869eabc78ba9b12ed8b0f3f77a93db

SHA1
06b5cd79c411cab1b7af0f59139e728542a3c884

SHA256
5cd5ecef9067d399c04608133fde581a3ce68e840375851993692081ec000c22

SHA512
6a20e1b3a154c16972698688b4ffd581f444fd56e1bc06002b1cc9f2cce9812e0fab91f613477caddba57dd3b53ad92f1651159f1bb11dd80e60636dda83ff86

Download Submit
C:\Users\Admin\AppData\Roaming\IBGiwwfJWX.js
Filesize
1.1MB

MD5
7b531f0797b73cd1d688b539c669c5b0

SHA1
1728cc38f34af482e19146a9aa0e4f12248f37a2

SHA256
8380077115339eabc4c7571664d622438b2e82aa30f8f686c833962b039e359b

SHA512
b6f1772f578e8ffe4ab619a7b17640ff834e7497c7918fe4b60af7799b6775d8e57babc104ea1738d6a6b159e7d75a7596440108ba1cb3ef9d9816d0eaa177f5

Download Submit
C:\Users\Admin\AppData\Roaming\zmfqlmhm.txt
Filesize
164KB

MD5
a4d9686f6feeb517bf8fac9fb78aec6c

SHA1
e611a5a33397cf202799ce5abd6c13a7a3a41822

SHA256
bc79121957cf1302da6daa59ac47f769272467794e0269c68c15dcb224d6bbab

SHA512
8af0428d06a6f5dc6934ffef76d627d15532b4af5adfe81da44b8dd05db881adaf8e7c797a36a29ea79dc5dd9fd027ff497f850582748a419c7d5504bc63d966

Download Submit
C:\Users\Admin\mtccpdtqby.js
Filesize
3.4MB

MD5
fd63be82901c37d3df0c78cc4fd7866e

SHA1
2122b5d4f9f95bf67b624726561f607ce0350ed4

SHA256
dca4d047fa26a97d61999b27e2e5283fbf137d2bac3cf3ead82f8b5beca2a36a

SHA512
d6d517db0dc58063a10ebf61c21b037a2609a887c8f23b081239677905f3f5f358026e804f3ec409cd4f595729a2392cec39573718d05362551ffc18eacac50e

Download Submit
memory/3364-145-0x0000000000000000-mapping.dmp

Download
memory/4376-147-0x0000000000000000-mapping.dmp

Download
memory/4376-159-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/4376-181-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/4376-183-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/4376-184-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/4376-186-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/4884-140-0x0000000002AC0000-0x0000000003AC0000-memory.dmp

Filesize
16.0MB

Download
memory/4884-185-0x0000000002AC0000-0x0000000003AC0000-memory.dmp

Filesize
16.0MB

Download
memory/5072-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads