vjw0rm | f8273617fe63d7b1e783427b76f0b250b428648e7cb47a45bcf98fa72bc708f3

General

Target

KNRyOLnGcT_UKWN.jar
Size

1.2MB
MD5

5cdffc26c265c48cdbbf1aae06cc101c
SHA1

566fb395a9586ca59c4317af8b8a6e656352d5fa
SHA256

5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737
SHA512

f0976bf6d5d35f36a8c625b5e520c94e1569da793d3d03e86bd9c6531a0ca2790f003bd5be210267081632e21964fd81936bfbad8cd9d81918666b53514058fd
SSDEEP

24576:q5P4Aday/1OtGC/HPXubl2Emy4AK+5pCwncs9hJh0+bqbK9X2XzVR:MdX8PXuIZZLkpCts9hJh0+OuIzz

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4988	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eVvEfMYHrV.js\""	WScript.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2956	javaw.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 4988	1984	java.exe	89
PID 1984 wrote to memory of 4988	1984	java.exe	89
PID 1984 wrote to memory of 1456	1984	java.exe	90
PID 1984 wrote to memory of 1456	1984	java.exe	90
PID 1456 wrote to memory of 1164	1456	wscript.exe	91
PID 1456 wrote to memory of 1164	1456	wscript.exe	91
PID 1456 wrote to memory of 2956	1456	wscript.exe	92
PID 1456 wrote to memory of 2956	1456	wscript.exe	92
PID 2956 wrote to memory of 3144	2956	javaw.exe	94
PID 2956 wrote to memory of 3144	2956	javaw.exe	94

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\KNRyOLnGcT_UKWN.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4988
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:1164
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cjyqkrlqj.txt"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.364944536271687359294783800238803.class
      4⤵
      Drops file in Program Files directory
      PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.364944536271687359294783800238803.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\cjyqkrlqj.txt

Filesize
44KB

MD5
227be10986cca71f0e5fd278eed19db5

SHA1
d3a07185303858415f4390c202d9b16a4a1430b7

SHA256
be0a70d41f2f69dc7d4587d87ce5a35a468a7d45d9d1be73e7d63fb403d736bd

SHA512
961e164b4f1f2433a031fcbed719b6d6d59112725896b83940b641e9f001bd1a87556a31bd313cc262bbbe90d67b44070da632953c4c3ec1e1aeeade2c3f99ae

Download Submit
C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js

Filesize
14KB

MD5
7da63b5e09aca81ff9226cb98eb7c07f

SHA1
95b8e956af1684adfa7eeb44fbb8703e314ed714

SHA256
9591223d96a8fbdef996a889892846b7162aee19904f030080dbf3ca2d966c20

SHA512
608af6335c141e95cb8b1f95dae2d47c5cc7c0ba18fbcfca851681ddabfa17be920d5d5b2986b0da69fbaec6e4cd9d3bcadc70b6c63e2f9e31957eff6d347e70

Download Submit
C:\Users\Admin\_output.js

Filesize
110KB

MD5
6b4a26f340e75e0c105ccb9e8f9b847b

SHA1
122f0c02898e3529fe56375438b3ad7dc6c3dd49

SHA256
7b017dde40cef9aa1813cf5b2af7dfab5869973794062b56cb7eec6165264d4b

SHA512
9aabe84fbdc8a104e8e434281f0b2b3f64763c7295c6689c8fdb54d3d39b02b679beb3937f38e320426e4593028d7ec70f7ce408e20644f3803263c492e152ce

Download Submit
memory/1984-14-0x000001EC9AA80000-0x000001EC9AA81000-memory.dmp

Filesize
4KB

Download
memory/1984-4-0x000001EC9AAA0000-0x000001EC9BAA0000-memory.dmp

Filesize
16.0MB

Download
memory/2956-101-0x000001852E570000-0x000001852F570000-memory.dmp

Filesize
16.0MB

Download
memory/2956-83-0x000001852E570000-0x000001852F570000-memory.dmp

Filesize
16.0MB

Download
memory/2956-40-0x000001852CD40000-0x000001852CD41000-memory.dmp

Filesize
4KB

Download
memory/2956-104-0x000001852E850000-0x000001852E860000-memory.dmp

Filesize
64KB

Download
memory/2956-106-0x000001852E860000-0x000001852E870000-memory.dmp

Filesize
64KB

Download
memory/2956-66-0x000001852E570000-0x000001852F570000-memory.dmp

Filesize
16.0MB

Download
memory/2956-105-0x000001852E570000-0x000001852F570000-memory.dmp

Filesize
16.0MB

Download
memory/2956-103-0x000001852E800000-0x000001852E810000-memory.dmp

Filesize
64KB

Download
memory/2956-81-0x000001852CD40000-0x000001852CD41000-memory.dmp

Filesize
4KB

Download
memory/2956-38-0x000001852CD40000-0x000001852CD41000-memory.dmp

Filesize
4KB

Download
memory/2956-86-0x000001852CD40000-0x000001852CD41000-memory.dmp

Filesize
4KB

Download
memory/2956-94-0x000001852E570000-0x000001852F570000-memory.dmp

Filesize
16.0MB

Download
memory/2956-31-0x000001852E570000-0x000001852F570000-memory.dmp

Filesize
16.0MB

Download
memory/2956-102-0x000001852E7E0000-0x000001852E7F0000-memory.dmp

Filesize
64KB

Download
memory/3144-80-0x0000023EC5850000-0x0000023EC5860000-memory.dmp

Filesize
64KB

Download
memory/3144-79-0x0000023EC5840000-0x0000023EC5850000-memory.dmp

Filesize
64KB

Download
memory/3144-54-0x0000023EC55B0000-0x0000023EC55B1000-memory.dmp

Filesize
4KB

Download
memory/3144-51-0x0000023EC55D0000-0x0000023EC65D0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads