vjw0rm | f8feadc1125cf67e04a78dddf70c6eef258178b9c38d23ab9be976c9f2c71c72

General

Target

4cba408df86e977b569cbbbb620f6541.jar
Size

129KB
MD5

4cba408df86e977b569cbbbb620f6541
SHA1

062a68ec018d9ee80666386cf505dd65bd316f24
SHA256

f8feadc1125cf67e04a78dddf70c6eef258178b9c38d23ab9be976c9f2c71c72
SHA512

4478e08c27d1dcda2d7a4da70bc94d5a329815e9bb820e9319d348b46fdd04abb0ae95304d699af58c0ef48c99506214addedfe59362a2774ef68f9b26c89e40
SSDEEP

3072:2d+2eE4r5mV/KoUzvUWyWa2U73yERqTjdDzFXEpcTxiA:2UBmYo2MzB2U7ippzFUpcTQA

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2756	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eohMqhWkvF.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 2756	232	java.exe	90
PID 232 wrote to memory of 2756	232	java.exe	90
PID 232 wrote to memory of 4392	232	java.exe	92
PID 232 wrote to memory of 4392	232	java.exe	92
PID 4392 wrote to memory of 4744	4392	wscript.exe	93
PID 4392 wrote to memory of 4744	4392	wscript.exe	93
PID 4392 wrote to memory of 1340	4392	wscript.exe	94
PID 4392 wrote to memory of 1340	4392	wscript.exe	94

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\4cba408df86e977b569cbbbb620f6541.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2756
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\lrpgqbmepw.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eohMqhWkvF.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:4744
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cumdistciq.txt"
    3⤵
    PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
013bcd19843480a24680194958bab7b6

SHA1
f27035d6458204f2d0457b687108dead7eb459cf

SHA256
48413fa47fbb522e0277ab215ff716f07459f7501ee712e94f8e459a9668d53c

SHA512
5615acc6df969362ec71223558449b145906bf6a71eadb15efee4d590c09abf60b7eb207a4729f1779c985aec0e4dfcdca945c6b8255fed1c065b9be4ec4d1b5

Download Submit
C:\Users\Admin\AppData\Roaming\cumdistciq.txt

Filesize
64KB

MD5
ed96bce0e060037c90915867199c5809

SHA1
3a015650988b040d5be8bd92c40e4453c0eae9dc

SHA256
568fb6d57ca86a7cf7b2a46da8deb9ac210c2b74f04ead19faf3b08ad8807434

SHA512
a028244dfebb5f9f42066a515e412ec0f1ff463ecaeeeee3e665ce09502d1edbeb09369bea04faef932241fc69cbf5dd5cfe840d0c43ee72b63e2dbc7398034b

Download Submit
C:\Users\Admin\AppData\Roaming\eohMqhWkvF.js

Filesize
10KB

MD5
bd854a8caf7e7c7755481169afebeb9d

SHA1
46d81477627836bdda15137a8837d10eb84bbbfc

SHA256
c346c5553d730a5f500588c0cb604454019e0a9a8c234b09e3050de08c5c4de9

SHA512
5d311fdf3958f117d5b06cb4e975a7bd373a1b9e8379e2df133472bcd30dca710afd382b848bffaf3899cfa1e887f0fe74f019878a24c326a081d15afa73e3e5

Download Submit
C:\Users\Admin\lrpgqbmepw.js

Filesize
207KB

MD5
5e62b21da65c21843765eec3519d08fa

SHA1
be3a7074f1f9bf1065859c200f41389d289c7de5

SHA256
741c1ef88d98a8945e91a8d899c93e31d0639ee727d541f0658e8f80136faf39

SHA512
83d6c6d0f667bd0c9ff7b558f4982a6f18dc33b19ddd4fa48c703bc8ff3948018420c6dab586553588e8a9db8f19bf392486b65c994fa472cf4c209983fff11e

Download Submit
memory/232-4-0x000001ECACE90000-0x000001ECADE90000-memory.dmp

Filesize
16.0MB

Download
memory/232-14-0x000001ECAB650000-0x000001ECAB651000-memory.dmp

Filesize
4KB

Download
memory/1340-49-0x000001ED34B10000-0x000001ED34B11000-memory.dmp

Filesize
4KB

Download
memory/1340-70-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-38-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-50-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-27-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-61-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-66-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-39-0x000001ED34B10000-0x000001ED34B11000-memory.dmp

Filesize
4KB

Download
memory/1340-74-0x000001ED34B10000-0x000001ED34B11000-memory.dmp

Filesize
4KB

Download
memory/1340-100-0x000001ED34B10000-0x000001ED34B11000-memory.dmp

Filesize
4KB

Download
memory/1340-101-0x000001ED34B10000-0x000001ED34B11000-memory.dmp

Filesize
4KB

Download
memory/1340-127-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-131-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-135-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-140-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download
memory/1340-144-0x000001ED36400000-0x000001ED37400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads