vjw0rm | dd4296bc6397703d32c73bbda6dd2c497efc93af64a4e014b4803a00454225bf

General

Target

4318853a176d5131f68bb12610cf3c97.js
Size

193KB
MD5

4318853a176d5131f68bb12610cf3c97
SHA1

79d939eefc5aede217e216934bc8b83271507aa8
SHA256

dd4296bc6397703d32c73bbda6dd2c497efc93af64a4e014b4803a00454225bf
SHA512

eac3796038e521799ad8e043fcac06e35b7f980530b5e34cd44b7e876f591223aaf21ff280b3249e01550d66d8922f589cf019a04884b2c3a69f3da1c7f3f4ca
SSDEEP

3072:MkHXMMrlxtiu4RuxILhHUGLiE+3F4surdgUBOBJ5rOAzmIIC+7:tMii4iLBUGLiEm1PUBOBJ5aAzqC+7

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GySjyuTJbo.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GySjyuTJbo.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3200	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\GySjyuTJbo.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 2436	3100	Process not Found	26
PID 3100 wrote to memory of 2436	3100	Process not Found	26
PID 3100 wrote to memory of 2788	3100	Process not Found	27
PID 3100 wrote to memory of 2788	3100	Process not Found	27
PID 2788 wrote to memory of 3200	2788	javaw.exe	66
PID 2788 wrote to memory of 3200	2788	javaw.exe	66

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4318853a176d5131f68bb12610cf3c97.js
1⤵
PID:3100
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\GySjyuTJbo.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2436
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ytxtrzg.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
50c8302414c40a19e6b3343261630696

SHA1
17cc83538626d901eab90ee2be81d3f37ef4855c

SHA256
13cf6e6c50c534f5223d2ef77a8ea5bbd1943ce511430b1119c33272cb89ae1a

SHA512
439cd29961b70765bdd8d2da7920f503b0fa29af74dc1a111225470a608432c525ee7d008acfef337f0ada4b3d70234622236fa620a86af203125579056cbf26

Download Submit
C:\Users\Admin\AppData\Roaming\GySjyuTJbo.js

Filesize
9KB

MD5
f62440f09898b39fea134065ef66629f

SHA1
6481a10130d0f04b618edffe25e447f361b610bd

SHA256
44c4da720bcd803731900f96e48662ea55da18b4fdcf1152192ca4322b9cb328

SHA512
cfdd9fe2ab94e698d6616e1a4143a0ecbb970f01259ce555fded0673a605e1b0799ed877a77c011b9ce0cf912c3fc3d693bb9796253199321606e9136b38b33f

Download Submit
C:\Users\Admin\AppData\Roaming\ytxtrzg.txt

Filesize
88KB

MD5
468ec549c270898563a0d61e42a3bd17

SHA1
6bbd046226d2a87abd4e24d9831e029d97f5e0c7

SHA256
ba97fd311dcae06ced279a1a5503252c7c0986a28e4168f0f96b4afcbcb7f79b

SHA512
e9071cd00f5c12810e08655f9dedd740fa3052132467a1596056d986a505d980fde4a0bac0d9ff573b630fd0c5b4aeec05b878bd3d05c549e9745fe26dbc8039

Download Submit
memory/2788-38-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-45-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-26-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-36-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-37-0x00000285F4300000-0x00000285F4301000-memory.dmp

Filesize
4KB

Download
memory/2788-9-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-39-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-19-0x00000285F4300000-0x00000285F4301000-memory.dmp

Filesize
4KB

Download
memory/2788-48-0x0000028580290000-0x00000285802A0000-memory.dmp

Filesize
64KB

Download
memory/2788-47-0x0000028580280000-0x0000028580290000-memory.dmp

Filesize
64KB

Download
memory/2788-49-0x00000285802E0000-0x00000285802F0000-memory.dmp

Filesize
64KB

Download
memory/2788-51-0x0000028580300000-0x0000028580310000-memory.dmp

Filesize
64KB

Download
memory/2788-53-0x0000028580320000-0x0000028580330000-memory.dmp

Filesize
64KB

Download
memory/2788-52-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download
memory/2788-50-0x0000028580310000-0x0000028580320000-memory.dmp

Filesize
64KB

Download
memory/2788-54-0x0000028580000000-0x0000028581000000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads