vjw0rm | f251156124b27bd9de66f6cf4d17b234cae540a4737dfe95fb71602dfd738174

General

Target

4b263027057b16a083bb8e409b8dbced.js
Size

199KB
MD5

4b263027057b16a083bb8e409b8dbced
SHA1

f4c761417c146343db7d305f60a3b370669fe8e5
SHA256

f251156124b27bd9de66f6cf4d17b234cae540a4737dfe95fb71602dfd738174
SHA512

38b3be25c0dc3a9aafa995a565bc9588741e3178ebe64bb95a07e2e3000f9900ebde4f5a5543a2d8688e29907fb392705a12fd6f6dc264b94fdaa3f4a128ba5f
SSDEEP

3072:Oaqiowk1T2FI5gt6SIIjX9IGLfm1Hri4+fJ5L/QBdc7EBHWB:ORi2Slg0jHCi4arL/Udc7EpWB

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jTtxtIjlOc.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jTtxtIjlOc.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2708	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\jTtxtIjlOc.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 1056	3820	wscript.exe	26
PID 3820 wrote to memory of 1056	3820	wscript.exe	26
PID 3820 wrote to memory of 4976	3820	wscript.exe	39
PID 3820 wrote to memory of 4976	3820	wscript.exe	39
PID 4976 wrote to memory of 2708	4976	javaw.exe	94
PID 4976 wrote to memory of 2708	4976	javaw.exe	94

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4b263027057b16a083bb8e409b8dbced.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\jTtxtIjlOc.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1056
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\oukwuamvh.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b3f27887583c80188d46217febcde624

SHA1
baa1a647acb6c5d83655a2e6eaa49e233c2f0845

SHA256
09a14a8e1dc929212f942c6f1f568b308fc515930751b08e6778cb6ff7679c73

SHA512
a81c5c19ae34300c06df30e6f9440c27fcbc4ca50b72db82abf24fe6664f234fbbb310f347614b5bdb07c74bb4ee21fb6a11d36cd3f9709e9d472889a832168c

Download Submit
C:\Users\Admin\AppData\Roaming\jTtxtIjlOc.js

Filesize
10KB

MD5
aaf4029030e66fc5a1f728d1e45f506e

SHA1
f8b00acf66797dac7e25faadbc7444faf15a225d

SHA256
4de890877e6eea47f9667cc64c94493f81b63499fe9e5858a526da4617ded348

SHA512
e708ee9596a830d180edd381c15a78efee06306ec23d6b2386fc666d1923ed3e61b6df9666ba0b70778048566dada9bd7bd9c551a4ffc555c46d7855a0e673c4

Download Submit
C:\Users\Admin\AppData\Roaming\oukwuamvh.txt

Filesize
88KB

MD5
468ec549c270898563a0d61e42a3bd17

SHA1
6bbd046226d2a87abd4e24d9831e029d97f5e0c7

SHA256
ba97fd311dcae06ced279a1a5503252c7c0986a28e4168f0f96b4afcbcb7f79b

SHA512
e9071cd00f5c12810e08655f9dedd740fa3052132467a1596056d986a505d980fde4a0bac0d9ff573b630fd0c5b4aeec05b878bd3d05c549e9745fe26dbc8039

Download Submit
memory/4976-11-0x0000027280000000-0x0000027281000000-memory.dmp

Filesize
16.0MB

Download
memory/4976-23-0x00000272FBE00000-0x00000272FBE01000-memory.dmp

Filesize
4KB

Download
memory/4976-24-0x0000027280000000-0x0000027281000000-memory.dmp

Filesize
16.0MB

Download
memory/4976-27-0x0000027280280000-0x0000027280290000-memory.dmp

Filesize
64KB

Download
memory/4976-28-0x0000027280000000-0x0000027281000000-memory.dmp

Filesize
16.0MB

Download
memory/4976-29-0x0000027280000000-0x0000027281000000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads