vjw0rm | fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc

General

Target

63a88c19299c8fd2e3bf299798a6a322.js
Size

200KB
MD5

63a88c19299c8fd2e3bf299798a6a322
SHA1

7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
SHA256

fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
SHA512

3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3
SSDEEP

3072:9uhE0m9+ACB9epP1nu+CcFztpcUodQ4kq98YJDkBPrspGQidJHlkg:loAm9ezu+Ci5pcUoNkpkkJeo/Fkg

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2404	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3652	1020	wscript.exe	89
PID 1020 wrote to memory of 3652	1020	wscript.exe	89
PID 1020 wrote to memory of 4364	1020	wscript.exe	90
PID 1020 wrote to memory of 4364	1020	wscript.exe	90
PID 4364 wrote to memory of 2404	4364	javaw.exe	92
PID 4364 wrote to memory of 2404	4364	javaw.exe	92

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\63a88c19299c8fd2e3bf299798a6a322.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3652
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pxmwpbsnv.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c11e9a65f671515cb9f1bf8d32b968e3

SHA1
ced7df60fadea5ca58a80858c2580bb2284e1818

SHA256
a63ac0ef977fa381a15f6d023612a5938bb9c65eecae6ad570d9d83a8f41ed1c

SHA512
06cc74395dc6d5acefdd21581f5eab8b503b0ae315e39c24e7a7a803bad447120eb46e6a78e1a00bb6311283770c30d8510a918c6dfbaff951619da87ce48964

Download Submit
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js

Filesize
9KB

MD5
12bdb4d35045ca79f03c7ab66fa2a4d0

SHA1
fa1942411e165ec654f437f026b0e2e8028fa1fd

SHA256
9114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a

SHA512
9ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9

Download Submit
C:\Users\Admin\AppData\Roaming\pxmwpbsnv.txt

Filesize
92KB

MD5
06f61cd3d0cdf9257fcdac6483d4c1ba

SHA1
f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f

SHA256
424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f

SHA512
9aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657

Download Submit
memory/4364-49-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-53-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-28-0x000001B525D30000-0x000001B525D31000-memory.dmp

Filesize
4KB

Download
memory/4364-36-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-47-0x000001B525D30000-0x000001B525D31000-memory.dmp

Filesize
4KB

Download
memory/4364-10-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-48-0x000001B525D30000-0x000001B525D31000-memory.dmp

Filesize
4KB

Download
memory/4364-23-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-60-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-62-0x000001B525D30000-0x000001B525D31000-memory.dmp

Filesize
4KB

Download
memory/4364-66-0x000001B525D30000-0x000001B525D31000-memory.dmp

Filesize
4KB

Download
memory/4364-73-0x000001B525D30000-0x000001B525D31000-memory.dmp

Filesize
4KB

Download
memory/4364-79-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download
memory/4364-80-0x000001B525D50000-0x000001B526D50000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads