vjw0rm | 9de696d1d6fb1228d3697b7be4e628d6489c4bc2dcfacc54b1fb282fe4fbebe9

General

Target

681105abdc5d0c0343775b60daf355f0.jar
Size

628KB
MD5

681105abdc5d0c0343775b60daf355f0
SHA1

19df3c8b66be211e6cb1cc01cf7c7eff5064fc8b
SHA256

9de696d1d6fb1228d3697b7be4e628d6489c4bc2dcfacc54b1fb282fe4fbebe9
SHA512

649fe254c397cace915c1348da5e8a6f35621a9a29ce720261e824fb91efe4d5b6276edb54ecdf9e606f2046c68b0ef5c5a1ed1a405585591f5856c9fe32893b
SSDEEP

12288:p9JFYoYph7hbhUItEv1GUSSoPwokLOqf5SEmkkjB0bCSoZiZ3znQBu:p97YoYt7oSjYOKSEUBwoZiZ3zQY

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UTKfCExmNp.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UTKfCExmNp.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\UTKfCExmNp.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2728	2712	java.exe	29
PID 2712 wrote to memory of 2728	2712	java.exe	29
PID 2712 wrote to memory of 2728	2712	java.exe	29
PID 2728 wrote to memory of 2668	2728	wscript.exe	30
PID 2728 wrote to memory of 2668	2728	wscript.exe	30
PID 2728 wrote to memory of 2668	2728	wscript.exe	30
PID 2728 wrote to memory of 2528	2728	wscript.exe	31
PID 2728 wrote to memory of 2528	2728	wscript.exe	31
PID 2728 wrote to memory of 2528	2728	wscript.exe	31
PID 2528 wrote to memory of 2832	2528	javaw.exe	33
PID 2528 wrote to memory of 2832	2528	javaw.exe	33
PID 2528 wrote to memory of 2832	2528	javaw.exe	33

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\681105abdc5d0c0343775b60daf355f0.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\UTKfCExmNp.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2668
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\gsqjohklkx.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.494153801090133969081077647958244763.class
      4⤵
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.494153801090133969081077647958244763.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3308111660-3636268597-2291490419-1000\83aa4cc77f591dfc2374580bbd95f6ba_2a70212d-3249-45ef-9f7c-6c9a96910c8e

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\UTKfCExmNp.js

Filesize
9KB

MD5
ad0c7ddce8b698fe384a4fe713eee19f

SHA1
88f09dc796a1a1efccd3aff70f814df4f8e17a12

SHA256
d0114eaf2ec37c2b7d65d87c8a8afcc536470d3a03c3ce3b09ad662e5ae969ef

SHA512
9476eff03863804fba347947a2b41e12f60ced3001b6892ea73361d50c660613754be463b850bbe7261b663d8fff4f4df4245225b78f7189c141bce64ebd8847

Download Submit
C:\Users\Admin\AppData\Roaming\gsqjohklkx.txt

Filesize
479KB

MD5
2bc77cbaca6f8ac04a0e4d698cf5133a

SHA1
34252120652ba3a20588aa557337538d21e5ed88

SHA256
a87af64dfea31dd2e08ae33b9a595b37ed4fa1511f195caa498ee9d51199528c

SHA512
fc14834e588ac87ea762a181ac12d1a59ca0fc60edb20ac1323493543760b641a6d9951c1bc3e04c66cf3692a284b793eff2cf9d8ab4050fb58d543780c24563

Download Submit
C:\Users\Admin\_output.js

Filesize
914KB

MD5
54d7a9612b5b6ae8d92d1dee6afc77ba

SHA1
566c13b7d4499a7d74e627ce818e10a65d9e1f47

SHA256
07b0274fcfd6bba6f5056eff77692987aeea03ff2fe978a5b8c097e842df5c41

SHA512
539491dc967fd97292d7f945d02e0c439566a8e805da0da3e31bef2313c8b20895828f7fa11a9801e5f6d638a565e45fe5fd1fbf3b579c6e27b8b31a76c3bece

Download Submit
memory/2528-30-0x00000000023E0000-0x00000000053E0000-memory.dmp

Filesize
48.0MB

Download
memory/2528-32-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2528-49-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2528-58-0x00000000023E0000-0x00000000053E0000-memory.dmp

Filesize
48.0MB

Download
memory/2712-6-0x0000000002230000-0x0000000005230000-memory.dmp

Filesize
48.0MB

Download
memory/2712-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2712-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2832-43-0x00000000021B0000-0x00000000051B0000-memory.dmp

Filesize
48.0MB

Download
memory/2832-48-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads