vjw0rm | 5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737

Analysis

max time kernel
105s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cdffc26c265c48cdbbf1aae06cc101c.jar
Size

1.2MB
MD5

5cdffc26c265c48cdbbf1aae06cc101c
SHA1

566fb395a9586ca59c4317af8b8a6e656352d5fa
SHA256

5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737
SHA512

f0976bf6d5d35f36a8c625b5e520c94e1569da793d3d03e86bd9c6531a0ca2790f003bd5be210267081632e21964fd81936bfbad8cd9d81918666b53514058fd
SSDEEP

24576:q5P4Aday/1OtGC/HPXubl2Emy4AK+5pCwncs9hJh0+bqbK9X2XzVR:MdX8PXuIZZLkpCts9hJh0+OuIzz

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2828	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eVvEfMYHrV.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
640	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 2828	4732	java.exe	87
PID 4732 wrote to memory of 2828	4732	java.exe	87
PID 4732 wrote to memory of 5032	4732	java.exe	90
PID 4732 wrote to memory of 5032	4732	java.exe	90
PID 5032 wrote to memory of 1532	5032	wscript.exe	91
PID 5032 wrote to memory of 1532	5032	wscript.exe	91
PID 5032 wrote to memory of 2872	5032	wscript.exe	92
PID 5032 wrote to memory of 2872	5032	wscript.exe	92
PID 2872 wrote to memory of 640	2872	javaw.exe	94
PID 2872 wrote to memory of 640	2872	javaw.exe	94

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\5cdffc26c265c48cdbbf1aae06cc101c.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2828
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:1532
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kjnvqdni.txt"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.56546007045634747703495095835903772.class
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:640
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1629757191012676413.vbs
        5⤵
        
        PID:1480
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1629757191012676413.vbs
        6⤵
        
        PID:4112
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5368916515681513391.vbs
        5⤵
        
        PID:3472
    - - C:\Windows\SYSTEM32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:1856
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:2612

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5368916515681513391.vbs
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
2a3619a9a1bb229eb6c66849744467aa

SHA1
83d1b7f33af3bf14a5e3b7897a561628aa0ac144

SHA256
5bd6f90c850af72c1c2e307941e2fa88e752c9c1a04268b6f7a618c8d897a327

SHA512
7c3e956a79579839bf5d90620ddfd29a7694fa5a1f03f617ac07788ae6ce70e3f1903f811207092a0178f994192e96cc78fb69b19b0662b2cdb981eecd623183

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
6106880154d60d225e0a4b32f0c5a532

SHA1
9b9c2e7ae41daad1aa9336a90ba29637bb85b51e

SHA256
a7b3278f9b26e53df886a206a9f4ae3734a58253bb1a48fe97c9084ab8da6028

SHA512
40258456165799d834ebbdb2787a9e9a766459c3fbb3767706b3c442834af07a01c97c76ad60754da2e59cb09a72e9fba403ab11647e2a4ffbf6311e9c2fec11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1629757191012676413.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5368916515681513391.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.56546007045634747703495095835903772.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1497073144-2389943819-3385106915-1000\83aa4cc77f591dfc2374580bbd95f6ba_54283972-31eb-44bb-adba-4e057460c33c

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

Filesize
57KB

MD5
08396907529afa57f29e79763853b7cf

SHA1
cfa5753b4c158d930c11ab64e48c069a8ef634ef

SHA256
8da5cb1ea086fb4f51a9af886f8f03ded4e0c830c7a1a5d134e1fa03be025928

SHA512
fc6af9d74534b320673e086bc90cf45c43791f34584cd032e476b500a3de75d17f088ddf597bb5d4647f92995533b6ec01e05f2f16137c3da0c526a7e94f5697

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

Filesize
61KB

MD5
d829db41e4f3935f7d895ddec288f607

SHA1
deb8971768459abcb5d24666eecf45ebdc652af8

SHA256
dfe11ae68d215984ed58fba4f505f26ab6cff6544cc7e30051b49e544baea112

SHA512
8c815d181d7600dc46b5898d930f71a3a904860a7c9fe68ec1a4d976b54355c267c819aaeb4e333f0bd2c5fecbe8886af9b5b69ecff9d8cb639b8fcb1a165bd6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
880baacb176553deab39edbe4b74380d

SHA1
37a57aad121c14c25e149206179728fa62203bf0

SHA256
ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

SHA512
3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js

Filesize
14KB

MD5
7da63b5e09aca81ff9226cb98eb7c07f

SHA1
95b8e956af1684adfa7eeb44fbb8703e314ed714

SHA256
9591223d96a8fbdef996a889892846b7162aee19904f030080dbf3ca2d966c20

SHA512
608af6335c141e95cb8b1f95dae2d47c5cc7c0ba18fbcfca851681ddabfa17be920d5d5b2986b0da69fbaec6e4cd9d3bcadc70b6c63e2f9e31957eff6d347e70

Download Submit
C:\Users\Admin\AppData\Roaming\kjnvqdni.txt

Filesize
64KB

MD5
d54aecfc1565a98ebae11b68a2630d6f

SHA1
0e8730672acec00fe44cbb36d03d1a3074a630e6

SHA256
54d98a03c02b60342825bbedd5e2d0eac0641258eacab906132bb4f2d86f1bf6

SHA512
23d1cdbe393714bacd4ce8577ae499444cd44dc275c811db6baa29b27f125966df9d0d357cf993c6fa09960ae8f8c574644891c2f71b4eb8adc1e16c0c6a9754

Download Submit
C:\Users\Admin\_output.js

Filesize
896KB

MD5
e55f6343d8b71775aaa000091d318403

SHA1
f7a46185a5d6ed638751d4d06fa10c8bc8076a23

SHA256
48a5cbc3f5aeaeaa0e3950245372dba56ef5e3e080e10f23fd06fbd880c2c9d5

SHA512
d747eedec8a0756ad16a7096e5660626e70f98eb4765ce59b16c733c41ed6911bfd84bac6c815f07f3b7a715c1279f59fff5ef782641fdf6be1b17046423dcd9

Download Submit
memory/640-93-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-101-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-1014-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-1013-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-1012-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-1010-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-79-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-84-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-90-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-89-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-1008-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-96-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-95-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-1004-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-68-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/640-1002-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-43-0x0000025E90750000-0x0000025E91750000-memory.dmp

Filesize
16.0MB

Download
memory/640-54-0x0000025E8EEA0000-0x0000025E8EEA1000-memory.dmp

Filesize
4KB

Download
memory/2872-59-0x0000012B9FA80000-0x0000012BA0A80000-memory.dmp

Filesize
16.0MB

Download
memory/2872-30-0x0000012B9FA80000-0x0000012BA0A80000-memory.dmp

Filesize
16.0MB

Download
memory/2872-71-0x0000012B9FCF0000-0x0000012B9FD00000-memory.dmp

Filesize
64KB

Download
memory/2872-42-0x0000012B9E290000-0x0000012B9E291000-memory.dmp

Filesize
4KB

Download
memory/2872-74-0x0000012B9FD30000-0x0000012B9FD40000-memory.dmp

Filesize
64KB

Download
memory/2872-72-0x0000012B9FD10000-0x0000012B9FD20000-memory.dmp

Filesize
64KB

Download
memory/2872-75-0x0000012B9FD40000-0x0000012B9FD50000-memory.dmp

Filesize
64KB

Download
memory/2872-73-0x0000012B9FA80000-0x0000012BA0A80000-memory.dmp

Filesize
16.0MB

Download
memory/4732-4-0x000001872FE30000-0x0000018730E30000-memory.dmp

Filesize
16.0MB

Download
memory/4732-14-0x000001872E5A0000-0x000001872E5A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads