vjw0rm | 87d6eb8714fe79b95f2f74649cd2fef28e9d57e4c4e990d7ac0f0f6281b978f8

General

Target

b8722654a1ef8fcfebf490bce2492392.js
Size

207KB
MD5

b8722654a1ef8fcfebf490bce2492392
SHA1

7669dfc5f9bf91b3231fe30cb052adeb60e5f749
SHA256

87d6eb8714fe79b95f2f74649cd2fef28e9d57e4c4e990d7ac0f0f6281b978f8
SHA512

2ceff57cdf708ebe9c4b3735589045730178bf9914bcebef478c5ec8fa14fcd879c71c5543c7b90faff71f70ed477f1376e070785e2d3bbe52f11397aaec1846
SSDEEP

3072:n3zn7Ok2Cw2jnNqAQ6rJBBjQ/+E8L+dE/6QXqU3OTBc0JF7mn+CtY6K1LmvjIPdB:z7Fng6FBBcpgC2FZ3AD7mn+v6ALkEdqO

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DGjEIUIodz.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DGjEIUIodz.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2348	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\DGjEIUIodz.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 620	1512	wscript.exe	89
PID 1512 wrote to memory of 620	1512	wscript.exe	89
PID 1512 wrote to memory of 4192	1512	wscript.exe	90
PID 1512 wrote to memory of 4192	1512	wscript.exe	90
PID 4192 wrote to memory of 2348	4192	javaw.exe	92
PID 4192 wrote to memory of 2348	4192	javaw.exe	92

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\b8722654a1ef8fcfebf490bce2492392.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DGjEIUIodz.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:620
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\figrxjhtf.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4c003c69c6a03338cdc4632a2b9a5f77

SHA1
80f34b889274c03fcf478076d80c52819f590e40

SHA256
5c888e68bf75a6d0b19a9f1ebf1b0e9e439efc30919f421ba9edfb67954dd47e

SHA512
b82cb7f4d9809f8a3cbe8edfb0e0e90da0c68bb20c8e7ebe5c802b05e7570c225494a1dd4a018d5005407493ac28168c159d27037ab25b734052b8c47c0e6b44

Download Submit
C:\Users\Admin\AppData\Roaming\DGjEIUIodz.js

Filesize
10KB

MD5
f38989cc8aaa486a1d20937d3364715c

SHA1
33dd1be185eba1eb4a6c52182c3df3f53ca6e9a5

SHA256
e582d7660be65f8dcfc39688ea515022baaa734b5fb336e7f2a1e4e19071b4d5

SHA512
c619a61774708eb36cf96b634221dad4d72f0fc5f820866508b0540415ee436b9fcb7779795d7a8f7096f68296e41088d650134c1b67f3a77105a31f9026ed0a

Download Submit
C:\Users\Admin\AppData\Roaming\figrxjhtf.txt

Filesize
92KB

MD5
af3ce0807ad734c6e6b2f35d7ddf06ad

SHA1
8b771d227019e07a077aaed04d5f1016ed37cb95

SHA256
a586c03463ca23ecb682d1505492ce375e63f3d7bd26cc12272e716a3f0016d3

SHA512
771e3d25082b3d55e10f42008d363a08756ab437f1c7880911f18d73457e5a8aa599eb6dce52c854955faded427ff17c5a37d755c70304a05eff3f0e7eeadd08

Download Submit
memory/4192-72-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-87-0x00000284295B0000-0x00000284295B1000-memory.dmp

Filesize
4KB

Download
memory/4192-29-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-37-0x00000284295B0000-0x00000284295B1000-memory.dmp

Filesize
4KB

Download
memory/4192-38-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-44-0x00000284295B0000-0x00000284295B1000-memory.dmp

Filesize
4KB

Download
memory/4192-45-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-46-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-48-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-63-0x00000284295B0000-0x00000284295B1000-memory.dmp

Filesize
4KB

Download
memory/4192-67-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-15-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-80-0x00000284295B0000-0x00000284295B1000-memory.dmp

Filesize
4KB

Download
memory/4192-19-0x00000284295B0000-0x00000284295B1000-memory.dmp

Filesize
4KB

Download
memory/4192-89-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-94-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-98-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-100-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-101-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-104-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-106-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-132-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-159-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-166-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download
memory/4192-175-0x00000284295D0000-0x000002842A5D0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads