vjw0rm | e33df6ad1c1f683b5fe7dd5edfe1d0f9e246ab41364b3f6ae297e717a5ff8026

General

Target

a3b2ac28fb71d8461b6c90327fabb5a1.js
Size

904KB
MD5

a3b2ac28fb71d8461b6c90327fabb5a1
SHA1

033bf48edff207df74d6b78410040f391750db8f
SHA256

e33df6ad1c1f683b5fe7dd5edfe1d0f9e246ab41364b3f6ae297e717a5ff8026
SHA512

4174fd12ac86611280ffb1c3afaffbeb1c888f7835747738dba38cce5c75093c6831bb509236839fb67931bc77f925575e418d89bf295e8265d0987b266efc89
SSDEEP

12288:Ms4IgvqEHGaezYf9R/sT1FmyPNweSj0UViZvc7CuvJzQdypXTjafMvjkyK0rcbtb:MND8akYlR/g+XCuBLjyMv4yWjPjb

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lrsFyEuHKj.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lrsFyEuHKj.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\lrsFyEuHKj.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2736	1708	wscript.exe	28
PID 1708 wrote to memory of 2736	1708	wscript.exe	28
PID 1708 wrote to memory of 2736	1708	wscript.exe	28
PID 1708 wrote to memory of 2816	1708	wscript.exe	29
PID 1708 wrote to memory of 2816	1708	wscript.exe	29
PID 1708 wrote to memory of 2816	1708	wscript.exe	29
PID 2816 wrote to memory of 2516	2816	javaw.exe	33
PID 2816 wrote to memory of 2516	2816	javaw.exe	33
PID 2816 wrote to memory of 2516	2816	javaw.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a3b2ac28fb71d8461b6c90327fabb5a1.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2736
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dabojtncc.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Java\jre7\bin\java.exe
    "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.83160535150108557398704779228412557.class
    3⤵
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.83160535150108557398704779228412557.class

Filesize
61KB

MD5
b32f33019405b01f6563c5dba961d1bd

SHA1
2d5bce8cd411e36a1df543ea08d5ed1bfb4dbd2b

SHA256
bcfa917d54f587be8aa5bcc8d46fdedbc8b60d7ed30b3663cdbc7b3584070e20

SHA512
12ce79b5ad91985c0f7ea28ee7b793c8d816a3fb690fdc070e50c56c880f7ef8475c3eecf9a219607889a550de378fd720fe6e12523cb5e1b18dea308c302ba8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-928733405-3780110381-2966456290-1000\83aa4cc77f591dfc2374580bbd95f6ba_3d25fb85-47e3-4ffb-8cc7-d217183fd877

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\dabojtncc.txt

Filesize
473KB

MD5
57845a03f0630d3fbb9caa203e940935

SHA1
9c4bb48d46593af760ddb9aec6160e2f379e99f7

SHA256
85e1a1df9973a080afe6a11d338a36994732a40cf9f891ec7f2b69dc56aed19f

SHA512
7ede78b67b49d91d13ab3eb642874263899231d1c4fbb1fa5575f8c904f46fb32091986b9bd9f2824859f6e6748f112314e745f0ac858d08f3a3b9b152ee64e1

Download Submit
C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js

Filesize
10KB

MD5
1ba75bca44a20a321cea4e496ce91a85

SHA1
5a14b44b498f56cbe7b248c537479c845ff465c6

SHA256
4035eee1e50075cfcaf233c8d0511dfeeeb01870b1a4baf4a43e9b37a03cc804

SHA512
2aaf2cafe8951a03e81d56eadb1d83516a9fc986d7ce6e8aa9a2704da1916feb900b42e271979cdfd0c8852ed2fa17c948a394d3e5977a47e2140fcb2d945481

Download Submit
memory/2516-24-0x00000000022D0000-0x00000000052D0000-memory.dmp

Filesize
48.0MB

Download
memory/2516-32-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2516-62-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2516-63-0x00000000022D0000-0x00000000052D0000-memory.dmp

Filesize
48.0MB

Download
memory/2816-10-0x0000000002240000-0x0000000005240000-memory.dmp

Filesize
48.0MB

Download
memory/2816-26-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2816-35-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2816-56-0x0000000002240000-0x0000000005240000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads