vjw0rm | f8feadc1125cf67e04a78dddf70c6eef258178b9c38d23ab9be976c9f2c71c72

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cba408df86e977b569cbbbb620f6541.jar
Size

129KB
MD5

4cba408df86e977b569cbbbb620f6541
SHA1

062a68ec018d9ee80666386cf505dd65bd316f24
SHA256

f8feadc1125cf67e04a78dddf70c6eef258178b9c38d23ab9be976c9f2c71c72
SHA512

4478e08c27d1dcda2d7a4da70bc94d5a329815e9bb820e9319d348b46fdd04abb0ae95304d699af58c0ef48c99506214addedfe59362a2774ef68f9b26c89e40
SSDEEP

3072:2d+2eE4r5mV/KoUzvUWyWa2U73yERqTjdDzFXEpcTxiA:2UBmYo2MzB2U7ippzFUpcTQA

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eohMqhWkvF.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1812	2928	java.exe	29
PID 2928 wrote to memory of 1812	2928	java.exe	29
PID 2928 wrote to memory of 1812	2928	java.exe	29
PID 1812 wrote to memory of 2668	1812	wscript.exe	31
PID 1812 wrote to memory of 2668	1812	wscript.exe	31
PID 1812 wrote to memory of 2668	1812	wscript.exe	31
PID 1812 wrote to memory of 2588	1812	wscript.exe	30
PID 1812 wrote to memory of 2588	1812	wscript.exe	30
PID 1812 wrote to memory of 2588	1812	wscript.exe	30

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\4cba408df86e977b569cbbbb620f6541.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\lrpgqbmepw.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kwxbxxqsi.txt"
    3⤵
    PID:2588
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eohMqhWkvF.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\eohMqhWkvF.js

Filesize
10KB

MD5
bd854a8caf7e7c7755481169afebeb9d

SHA1
46d81477627836bdda15137a8837d10eb84bbbfc

SHA256
c346c5553d730a5f500588c0cb604454019e0a9a8c234b09e3050de08c5c4de9

SHA512
5d311fdf3958f117d5b06cb4e975a7bd373a1b9e8379e2df133472bcd30dca710afd382b848bffaf3899cfa1e887f0fe74f019878a24c326a081d15afa73e3e5

Download Submit
C:\Users\Admin\AppData\Roaming\kwxbxxqsi.txt

Filesize
92KB

MD5
60822b2d52ae85dd32f95feb662be372

SHA1
3181aeefc4d180403b58245110dd9fe031a5274a

SHA256
9608f3f45074b5797b9b3e62c09480e3f78a1ba4b8550b67ad9287e9311b3e70

SHA512
064f9df2b7515087d3d54ba23a023e4b6ca429d6c1004aac2b2c50abb16561228cb6f3322059afadb47f200580468a2af2f4d053ad04337551f4f9337ce2c969

Download Submit
C:\Users\Admin\lrpgqbmepw.js

Filesize
207KB

MD5
5e62b21da65c21843765eec3519d08fa

SHA1
be3a7074f1f9bf1065859c200f41389d289c7de5

SHA256
741c1ef88d98a8945e91a8d899c93e31d0639ee727d541f0658e8f80136faf39

SHA512
83d6c6d0f667bd0c9ff7b558f4982a6f18dc33b19ddd4fa48c703bc8ff3948018420c6dab586553588e8a9db8f19bf392486b65c994fa472cf4c209983fff11e

Download Submit
memory/2588-30-0x0000000002630000-0x0000000005630000-memory.dmp

Filesize
48.0MB

Download
memory/2588-29-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2588-32-0x0000000002630000-0x0000000005630000-memory.dmp

Filesize
48.0MB

Download
memory/2928-8-0x00000000024F0000-0x00000000054F0000-memory.dmp

Filesize
48.0MB

Download
memory/2928-12-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads