vjw0rm | 604dc0ff16d6c026a4c322dc61ca9597a02dbc5c80bcea0c46961005204decaf

Analysis

max time kernel
13s
max time network
77s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/01/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63507ef5bc127d200bd48e477a5f8ab2.jar
Size

627KB
MD5

63507ef5bc127d200bd48e477a5f8ab2
SHA1

4b05541814e7c1bdbb70f1cb82b3db5f8e9b5823
SHA256

604dc0ff16d6c026a4c322dc61ca9597a02dbc5c80bcea0c46961005204decaf
SHA512

645ebbff6ac01dd2d73be6db41dc9f6456a82c96b9a65f82d40151dbebd6c27623cd2fd3a6fde90651c51278e7db525b540510fb6e8f46acaa4b0f03c8a18a13
SSDEEP

12288:TsWeQT7dKrfL/0MqLofLrYeBurxCvORSxT8FhHD3mMkLdSIdNQ:XTBK0MqEfL1KRk+D1kZp4

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vTTsXwVcli.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vTTsXwVcli.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\vTTsXwVcli.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2136	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2284	2644	java.exe	29
PID 2644 wrote to memory of 2284	2644	java.exe	29
PID 2644 wrote to memory of 2284	2644	java.exe	29
PID 2284 wrote to memory of 2588	2284	wscript.exe	30
PID 2284 wrote to memory of 2588	2284	wscript.exe	30
PID 2284 wrote to memory of 2588	2284	wscript.exe	30
PID 2284 wrote to memory of 2780	2284	wscript.exe	31
PID 2284 wrote to memory of 2780	2284	wscript.exe	31
PID 2284 wrote to memory of 2780	2284	wscript.exe	31

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1784	attrib.exe
1552	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\63507ef5bc127d200bd48e477a5f8ab2.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vTTsXwVcli.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2588
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mtscpku.txt"
    3⤵
    PID:2780
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.14185700217961855161911809827862850.class
      4⤵
      PID:3056
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4960717926780899828.vbs
        5⤵
        
        PID:812
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4960717926780899828.vbs
        6⤵
        
        PID:2208
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive878805403764018424.vbs
        5⤵
        
        PID:1140
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive878805403764018424.vbs
        6⤵
        
        PID:1596
    - - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:2688
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5038354057871239837.vbs
      4⤵
      PID:2188
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5038354057871239837.vbs
        5⤵
        
        PID:2968
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive513104161417571218.vbs
      4⤵
      PID:880
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive513104161417571218.vbs
        5⤵
        
        PID:2352
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:2248
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2680
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v vyZQspzeTXl /t REG_EXPAND_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\cUZBwVizSSd\voYZHMSwtjQ.PdyglH\"" /f
      4⤵
      Modifies registry key
      PID:2136
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\cUZBwVizSSd"
      4⤵
      Views/modifies file attributes
      PID:1784
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar C:\Users\Admin\cUZBwVizSSd\voYZHMSwtjQ.PdyglH
      4⤵
      PID:2080
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\cUZBwVizSSd\*.*"
      4⤵
      Views/modifies file attributes
      PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive4960717926780899828.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive878805403764018424.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.14185700217961855161911809827862850.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1603059206-2004189698-4139800220-1000\83aa4cc77f591dfc2374580bbd95f6ba_ed99f2be-c877-4736-8218-f1e1b6598c0d

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
0547e7c8dade7157d58f6bf5e74bcce7

SHA1
f1ef0a100276e7d3adf38b9fbb802d12f4bb8d9f

SHA256
6953ed5729acafb594c9e81b970f946848453abc6033d4b5519870b58c72abac

SHA512
b213982a0935465b8d468822912169457b60a55382eba7ee39c62be953512a2d524aa6d01953d05dab981b72c417e62bcdff661bac99534e54778f906ad44d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\MET

Filesize
1KB

MD5
df1d6d7601b75822e9cf454c03c583b6

SHA1
966737a61ec5f9bcac90154389f5249ca6c0e1e2

SHA256
f3936669b75c67d577d93655b07629b30371aefd32845f69d7cef09b27409d8c

SHA512
50f1943794f84faa26ec8aa1175d98dac365ad3a48eda7b1899e57f1e7fe88365d595403131df926c0471900bf1dcf43f534c57bfb2fb33fe5a81870f4e103ba

Download Submit
C:\Users\Admin\AppData\Roaming\mtscpku.txt

Filesize
479KB

MD5
c67d02c567461d6fad607a89ac1084b8

SHA1
1c8af842bda12c315b7a78b4a44f3c4e8a1721a9

SHA256
13510f3ee14e47e2fc457215420e795f0959e33411e4fa2e8a889a3c7fb858d9

SHA512
9151cfaff17d3cd2d832ad5a4e9fbcf93e49c955a1ed0748d67d9df307d7714bff346caa4239482ca676697ee48c689759f3ef86fd360e47e8910246dce0a043

Download Submit
C:\Users\Admin\AppData\Roaming\vTTsXwVcli.js

Filesize
9KB

MD5
e068ea577e83f36e6f5a3a64bd763648

SHA1
83764893b98e89350c261609b76b0fd812b44630

SHA256
d75a2e8e930b82f2cf2e751b298294f5594d74ff68aa65ca27ff6c1eb46730b6

SHA512
ed0d2fa859b239f84d736dc138a9a7c100cececdf565ed6a2d401ef9f20b526feffee4587eaf93697d9bb7db33f8bc8eb91a66d70b08645b913d1f6edcea47c6

Download Submit
C:\Users\Admin\_output.js

Filesize
487KB

MD5
9ba5ec190af9bb219173a1864fb841e1

SHA1
2d218a5eb6fca6ba6b6d5f0ca286907a818d97d6

SHA256
d78097c6ba025eddd77b709603a8bd4abd746b1443047bfa611705f00006e528

SHA512
35877b6e00acdb69aa71b88f45a4505c2ac83c3d72d411896a8f25b07e48220c3d3c157e1a2d5bb05a656790f68e7788920d3231a1e8b71120604b76e8a83502

Download Submit
C:\Users\Admin\cUZBwVizSSd\ID.txt

Filesize
47B

MD5
939a9779d1ec74c602f9f9d2ac3793b9

SHA1
b1cdf925e0d2fac72ea7193ea5125548f632f90f

SHA256
56d613d2bde51ecd5bde6a123492d3139e5aff0807014d63ade417b1603a8731

SHA512
d6d0f7583fe029a0ab1dad87b9a91981489cf484b9c82b09cefda25cc35b4b6f3e5dc9aaa33728ae0803321edb53f30e566047e6ba2d9c17f2fe1f218c2afe1e

Download Submit
C:\Users\Admin\cUZBwVizSSd\voYZHMSwtjQ.PdyglH

Filesize
128KB

MD5
d2793932e48746ec9cee011cf2c97946

SHA1
fbd2b7acb98cf148c3e710acdd5f4289c975ba70

SHA256
6f094ed17cc965dd9de7ce481b2d274c791dec60d6c7ae2d0e5ae625e059dc9b

SHA512
52e7ee2a335d0c02930e33a08371cd61da3fdbb86f96783b7a0124d53d384d2fbb69b1bd3bf72e2d11c75cf3fc71199cfaee72066c00976064432af929da96f5

Download Submit
memory/2644-7-0x0000000002420000-0x0000000005420000-memory.dmp

Filesize
48.0MB

Download
memory/2644-13-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2644-10-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2780-32-0x0000000002190000-0x0000000005190000-memory.dmp

Filesize
48.0MB

Download
memory/2780-101-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2780-96-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2780-74-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2780-41-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3056-95-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3056-49-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3056-42-0x00000000022B0000-0x00000000052B0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads