vjw0rm | c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52

General

Target

0982fc211767a61d7a3ef26ad2405be6.js
Size

200KB
MD5

0982fc211767a61d7a3ef26ad2405be6
SHA1

e00d78a7ac396441217c133ba728af2a7aa67c9d
SHA256

c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52
SHA512

a3b15291adb751a83386b1ba0cf1fd89843237a7f4ce6402a11a5099a8f18f8caa652842532310c768734ff670f46df28da8893c869a8e564a17268c13897d57
SSDEEP

3072:MIyNq6qDEs1LBG0J9DaDr0M4Uf+XZ8qwivPZUheXdvoX3FOL3oReKN:+bs1td9DaDKU2JVDvRU6dvSOsIKN

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4640	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\iZuOkORefJ.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 3164	5000	wscript.exe	87
PID 5000 wrote to memory of 3164	5000	wscript.exe	87
PID 5000 wrote to memory of 1132	5000	wscript.exe	90
PID 5000 wrote to memory of 1132	5000	wscript.exe	90
PID 1132 wrote to memory of 4640	1132	javaw.exe	93
PID 1132 wrote to memory of 4640	1132	javaw.exe	93

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0982fc211767a61d7a3ef26ad2405be6.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3164
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zqpqefompj.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
f3d7c98b8911e285aa5e79f2535cd6d0

SHA1
6b8cc427c0934cd10ac37339d2f02009eb60dde1

SHA256
88dfa6bd0d83b5c0936e2a3047ad46c583f8cdb6d8c1cd51225e729d451675f1

SHA512
92ac6e4677250dc36fe436fbc9ccc4e0b260fc099e56805c05f145c493ef1b7989d3d53f27133a7146167f264b69f82ba3f511a215cc78890cb722d2d4e81fd6

Download Submit
C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js

Filesize
9KB

MD5
ba88b3aeea9cd6596528119b0a81e127

SHA1
af06129ded6c4e82b5c16607c3cbae77691d8407

SHA256
7417fe426dc695b070d697d4cd2add731e80cab5bd1f15ae01c26d3bf7ff6812

SHA512
4deb61ea7ea3a5cec8fee42e878cc3704375f05ff3c68ae1cc7154885919c2f3952e22a042d716efe4277041f9384203f13308f1e9ce7338139cb4d314424d38

Download Submit
C:\Users\Admin\AppData\Roaming\zqpqefompj.txt

Filesize
92KB

MD5
2e458a59025b390fbdf7d3717314b507

SHA1
d5a84f501bfa81682ebde5e31a68794140141785

SHA256
6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

SHA512
2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

Download Submit
memory/1132-42-0x000001F5355A0000-0x000001F5355A1000-memory.dmp

Filesize
4KB

Download
memory/1132-70-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-27-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-31-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-32-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-33-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-37-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-9-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-44-0x000001F5355A0000-0x000001F5355A1000-memory.dmp

Filesize
4KB

Download
memory/1132-18-0x000001F5355A0000-0x000001F5355A1000-memory.dmp

Filesize
4KB

Download
memory/1132-71-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-75-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-76-0x000001F5355A0000-0x000001F5355A1000-memory.dmp

Filesize
4KB

Download
memory/1132-79-0x000001F5355A0000-0x000001F5355A1000-memory.dmp

Filesize
4KB

Download
memory/1132-81-0x000001F5355A0000-0x000001F5355A1000-memory.dmp

Filesize
4KB

Download
memory/1132-80-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-85-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-92-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-103-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download
memory/1132-113-0x000001F5355C0000-0x000001F5365C0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads