vjw0rm | 3f3078681946b25aaa311dfcf051d2a27752ffcc893fc15d16423a68c2e6f69c

General

Target

Remittance-634731.js
Size

462KB
MD5

526e79a834bb7c263ee552706e8ca417
SHA1

088706831253c13f4d77a76c3e9c4e85ac15e104
SHA256

421c6e4dc68b3eb178243788435e0346b78fae06ffa5126c7b95bd222da0f9d9
SHA512

8bb57999c72b37b2572c166c46026f53c5746992c0a7019f5aa74651e87bef9042254d031412c458a9542e38f61304756787822ffc4ef2ffcf3bd1ae07ccb59f
SSDEEP

6144:b2MG+uzi8Smdo2S/2/7Xu3b318f2MG+uzi8Smdo2S/2/7Xu3b318g:oK8Smdoh/awbKEK8Smdoh/awbKg

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RypRJcyXfu.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RypRJcyXfu.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4984	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\RypRJcyXfu.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4644	5068	wscript.exe	91
PID 5068 wrote to memory of 4644	5068	wscript.exe	91
PID 5068 wrote to memory of 3996	5068	wscript.exe	92
PID 5068 wrote to memory of 3996	5068	wscript.exe	92
PID 3996 wrote to memory of 4984	3996	javaw.exe	97
PID 3996 wrote to memory of 4984	3996	javaw.exe	97

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Remittance-634731.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RypRJcyXfu.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4644
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\avjmmjkfvr.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RypRJcyXfu.js

Filesize
14KB

MD5
1ba12eceb96fcc3f701b57a122d2d619

SHA1
e6760348cbee519d5f6d99f38cce7c4ead6fc9fa

SHA256
f5582ff25d56281b7a5158ff4105d71f6a1453f1f75e4f26a0d82efd2f61160d

SHA512
08a22d4a5642a828ebfdb18c99d20cbaa49ee966cd166f4338a8ddfc17875da3f5bb1feb7ab8a7aab3e2b98adca9d9464b786d7dc8329cad1e52082669b81ed7

Download Submit
C:\Users\Admin\AppData\Roaming\avjmmjkfvr.txt

Filesize
105KB

MD5
4b04a5e29aeac9bc79a101dc514c33a4

SHA1
57abb8775a1d7642066df1acfb2568d92735f359

SHA256
c327f4e0d967b4560a204eaf5af02c7dc6a1d0989b57a8ce72afc640705170b9

SHA512
b4bf9a4f313b36291673912ae11315cbbf594ee6fe7df62a2e20fb795edb0db0862cdef20e81b391cdead629b11ad24922431766ab00f7810cfb097abae6e442

Download Submit
memory/3996-9-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-18-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-19-0x0000024437720000-0x0000024437721000-memory.dmp

Filesize
4KB

Download
memory/3996-32-0x0000024437720000-0x0000024437721000-memory.dmp

Filesize
4KB

Download
memory/3996-38-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-40-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-45-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-54-0x0000024437720000-0x0000024437721000-memory.dmp

Filesize
4KB

Download
memory/3996-55-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-65-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-68-0x0000024438FB0000-0x0000024439FB0000-memory.dmp

Filesize
16.0MB

Download
memory/3996-83-0x0000024437720000-0x0000024437721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads