vjw0rm | f8072b70de0274e7ab66807a7a0cb7eb340fd5605f626f44c6b92b53723772f7

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b56b3aca6d7d4f2172ce0a049274877.jar
Size

123KB
MD5

2b56b3aca6d7d4f2172ce0a049274877
SHA1

32329e69b2bb0caa995364b2aa4b9621f750865d
SHA256

f8072b70de0274e7ab66807a7a0cb7eb340fd5605f626f44c6b92b53723772f7
SHA512

831adcd64a78c51a76fc658c90985897e49b72ab6bcbd771ced8e618bcd1ecf5518da6386992e49cb95d89ec1f5eebce1f00ea4b3e49234f9e77f2a51f27aecd
SSDEEP

3072:0OKOzBtFFQMfhxrhno5AoHNBqdOSCo5ks:MmBvqMbFuWMkF

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GySjyuTJbo.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GySjyuTJbo.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\GySjyuTJbo.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2832	2088	java.exe	29
PID 2088 wrote to memory of 2832	2088	java.exe	29
PID 2088 wrote to memory of 2832	2088	java.exe	29
PID 2832 wrote to memory of 2748	2832	wscript.exe	30
PID 2832 wrote to memory of 2748	2832	wscript.exe	30
PID 2832 wrote to memory of 2748	2832	wscript.exe	30
PID 2832 wrote to memory of 2804	2832	wscript.exe	31
PID 2832 wrote to memory of 2804	2832	wscript.exe	31
PID 2832 wrote to memory of 2804	2832	wscript.exe	31

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\2b56b3aca6d7d4f2172ce0a049274877.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\GySjyuTJbo.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2748
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ixpwplzddg.txt"
    3⤵
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GySjyuTJbo.js

Filesize
9KB

MD5
f62440f09898b39fea134065ef66629f

SHA1
6481a10130d0f04b618edffe25e447f361b610bd

SHA256
44c4da720bcd803731900f96e48662ea55da18b4fdcf1152192ca4322b9cb328

SHA512
cfdd9fe2ab94e698d6616e1a4143a0ecbb970f01259ce555fded0673a605e1b0799ed877a77c011b9ce0cf912c3fc3d693bb9796253199321606e9136b38b33f

Download Submit
C:\Users\Admin\AppData\Roaming\ixpwplzddg.txt

Filesize
88KB

MD5
468ec549c270898563a0d61e42a3bd17

SHA1
6bbd046226d2a87abd4e24d9831e029d97f5e0c7

SHA256
ba97fd311dcae06ced279a1a5503252c7c0986a28e4168f0f96b4afcbcb7f79b

SHA512
e9071cd00f5c12810e08655f9dedd740fa3052132467a1596056d986a505d980fde4a0bac0d9ff573b630fd0c5b4aeec05b878bd3d05c549e9745fe26dbc8039

Download Submit
C:\Users\Admin\_output.js

Filesize
193KB

MD5
4318853a176d5131f68bb12610cf3c97

SHA1
79d939eefc5aede217e216934bc8b83271507aa8

SHA256
dd4296bc6397703d32c73bbda6dd2c497efc93af64a4e014b4803a00454225bf

SHA512
eac3796038e521799ad8e043fcac06e35b7f980530b5e34cd44b7e876f591223aaf21ff280b3249e01550d66d8922f589cf019a04884b2c3a69f3da1c7f3f4ca

Download Submit
memory/2088-8-0x00000000023F0000-0x00000000053F0000-memory.dmp

Filesize
48.0MB

Download
memory/2088-12-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2804-29-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2804-30-0x00000000026C0000-0x00000000056C0000-memory.dmp

Filesize
48.0MB

Download
memory/2804-32-0x00000000026C0000-0x00000000056C0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads