vjw0rm | 9285fa6ba7f6cb35a4371d51a11f7c5c7aa582cb1deec294aff20ec5060b0a2d | Triage

Analysis

max time kernel
138s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:49 UTC

Sharing

Report Analysis Logs

General

Target

235c68f406aa41b7e1a87e35d83add4c.js
Size

201KB
MD5

235c68f406aa41b7e1a87e35d83add4c
SHA1

dadb5bd81a34b437863e3d744ea0a06c48533b39
SHA256

9285fa6ba7f6cb35a4371d51a11f7c5c7aa582cb1deec294aff20ec5060b0a2d
SHA512

158661fdbd3c48fb3f3dba455833553e0c3c1c64d4007262515a689f755f5b752b34f7ead147834852445f60328e3d66b0ea44bfa79372f1667ea14297fa7d1a
SSDEEP

3072:ucygHBboR/hsrTjXCXJiMJexk0/ouyvTXiPbPN4kAx/cdDQaL:5HBb65CyNJexk0oGPD8KRL

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ruYArSxXtj.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2704	2496	wscript.exe	28
PID 2496 wrote to memory of 2704	2496	wscript.exe	28
PID 2496 wrote to memory of 2704	2496	wscript.exe	28
PID 2496 wrote to memory of 2708	2496	wscript.exe	29
PID 2496 wrote to memory of 2708	2496	wscript.exe	29
PID 2496 wrote to memory of 2708	2496	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\235c68f406aa41b7e1a87e35d83add4c.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2704
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qrijzne.txt"
  2⤵
  PID:2708

Network

DNS

javaslinns.duia.ro

WScript.exe

Remote address:

8.8.8.8:53

Request

javaslinns.duia.ro

IN A

Response
DNS

github.com

javaw.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

140.82.121.3
DNS

repo1.maven.org

javaw.exe

Remote address:

8.8.8.8:53

Request

repo1.maven.org

IN A

Response

repo1.maven.org

IN CNAME

dualstack.sonatype.map.fastly.net

dualstack.sonatype.map.fastly.net

IN A

199.232.192.209

dualstack.sonatype.map.fastly.net

IN A

199.232.196.209

140.82.121.3:443

github.com

tls

javaw.exe

589 B
283 B
8
6
199.232.192.209:443

repo1.maven.org

tls

javaw.exe

450 B
144 B
5
3
199.232.192.209:443

repo1.maven.org

tls

javaw.exe

450 B
144 B
5
3
199.232.192.209:443

repo1.maven.org

tls

javaw.exe

680 B
4.2kB
10
9

8.8.8.8:53

javaslinns.duia.ro

dns

WScript.exe

64 B
120 B
1
1

DNS Request

javaslinns.duia.ro
8.8.8.8:53

github.com

dns

javaw.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

140.82.121.3
8.8.8.8:53

repo1.maven.org

dns

javaw.exe

61 B
140 B
1
1

DNS Request

repo1.maven.org

DNS Response

199.232.192.209

199.232.196.209

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qrijzne.txt

Filesize
92KB

MD5
ae4f924072e8dd90687607e7becdde2e

SHA1
225d2c7cf6506bf59d865fe3dba1b6c1736d492b

SHA256
915de15ccb287c58270e6bc23523b0cde9ce077dbc0fef517faca1a1a0313286

SHA512
14da1de2af981af4390e3bb95e29f968f0ef67af011202ce9f598e9f553f822e37013301c965f871ad2660cc451fb7c1ad619bf9533405e7424ad88f199803f0

Download Submit
C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js

Filesize
9KB

MD5
ca4e11b0bbf70a587e0d653bfceded8c

SHA1
c70eeac3273988740e937e21e11948b003295582

SHA256
d0a3dc9322f9f6f9028f437d45757560de849fd0a0a6dcf8c92beed012b61e0d

SHA512
291bbeb73d3ecacfe5c50aa9fd59f0542eea4950a82d0def79318017d5a0c9bcd3792a49c17309414c7678235ffeae284f29643e2be4b4a368592c0f5f64bdf0

Download Submit
memory/2708-10-0x0000000002280000-0x0000000005280000-memory.dmp

Filesize
48.0MB

Download
memory/2708-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-40-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-49-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-52-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-68-0x0000000002280000-0x0000000005280000-memory.dmp

Filesize
48.0MB

Download
memory/2708-70-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download