vjw0rm | e4310114f26e15fa07e71124920ed389f53e21ee57aad649e912ea15ef4e5ebf

Analysis

max time kernel
14s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1151de818776c906cf7e06cc24c91f5f.jar
Size

128KB
MD5

1151de818776c906cf7e06cc24c91f5f
SHA1

6cd199b2909eea9731de0dfcaa73a1370d7bfdd7
SHA256

e4310114f26e15fa07e71124920ed389f53e21ee57aad649e912ea15ef4e5ebf
SHA512

d452b51448d38337141a8f6b6d7f6d2941042493baa8e30e91f187f6d4b22e7cc6da14543e7fa141ae1a4dadb5bcbe0f70d0912eb0d63195d1c72cbb493b1e59
SSDEEP

3072:tlf2sc96eDRPXOIGdZ5XNKgfTuoTnA8pUfJ9Ifs20mBtHux/:/WdvGdNVLuoTnRpOUkEBtHw

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ruYArSxXtj.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2676	2736	java.exe	29
PID 2736 wrote to memory of 2676	2736	java.exe	29
PID 2736 wrote to memory of 2676	2736	java.exe	29
PID 2676 wrote to memory of 3052	2676	wscript.exe	31
PID 2676 wrote to memory of 3052	2676	wscript.exe	31
PID 2676 wrote to memory of 3052	2676	wscript.exe	31
PID 2676 wrote to memory of 2780	2676	wscript.exe	30
PID 2676 wrote to memory of 2780	2676	wscript.exe	30
PID 2676 wrote to memory of 2780	2676	wscript.exe	30

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1151de818776c906cf7e06cc24c91f5f.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\[output].js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ohytlc.txt"
    3⤵
    PID:2780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ohytlc.txt

Filesize
64KB

MD5
5c4de8ab382597f59e335a7fae865023

SHA1
4a40d74eca5bbb29dfd0550bcfd207c36669343c

SHA256
6f75fd6102fbb58e10ce740cb36bec1866d13035f9503faa09b1b447abeb61b3

SHA512
15ff7eaaebe3f6963b45cc7a6a11e23474daf862bb5430e555877cca0b8596412c7c427e2fbfcacd3810e735c78360e33815d218ba52be62de36acae8f70be2c

Download Submit
C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js

Filesize
9KB

MD5
ca4e11b0bbf70a587e0d653bfceded8c

SHA1
c70eeac3273988740e937e21e11948b003295582

SHA256
d0a3dc9322f9f6f9028f437d45757560de849fd0a0a6dcf8c92beed012b61e0d

SHA512
291bbeb73d3ecacfe5c50aa9fd59f0542eea4950a82d0def79318017d5a0c9bcd3792a49c17309414c7678235ffeae284f29643e2be4b4a368592c0f5f64bdf0

Download Submit
C:\Users\Admin\[output].js

Filesize
201KB

MD5
235c68f406aa41b7e1a87e35d83add4c

SHA1
dadb5bd81a34b437863e3d744ea0a06c48533b39

SHA256
9285fa6ba7f6cb35a4371d51a11f7c5c7aa582cb1deec294aff20ec5060b0a2d

SHA512
158661fdbd3c48fb3f3dba455833553e0c3c1c64d4007262515a689f755f5b752b34f7ead147834852445f60328e3d66b0ea44bfa79372f1667ea14297fa7d1a

Download Submit
memory/2736-8-0x00000000024D0000-0x00000000054D0000-memory.dmp

Filesize
48.0MB

Download
memory/2736-12-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2780-28-0x0000000002550000-0x0000000005550000-memory.dmp

Filesize
48.0MB

Download
memory/2780-31-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2780-33-0x0000000002550000-0x0000000005550000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads