vjw0rm | 744c760018483ee148b61b496f3fce2d3bc7de7aebb72269f914baaf73f34633

General

Target

83515551eaa1178801cc99a303160826.js
Size

199KB
MD5

83515551eaa1178801cc99a303160826
SHA1

4adb1263847292b0fe47225a2ad2e6143f73dbaf
SHA256

744c760018483ee148b61b496f3fce2d3bc7de7aebb72269f914baaf73f34633
SHA512

0dce6c4e259995f7754933f28e4cfcd0dacd65df9d0c73dd21fdbe7bf0f4ec19036287e09088034f86dcfe9f61f44a0c2b010cf4d36275876707c389e4b6b8fe
SSDEEP

3072:lritC+1MYgCc1doOgng49ooBP/GmhWi5eTIQ+vZzMd3efZeb9sHts649mPnhXY:4ggnTWq/TH1AsW6KslY

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4864	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKoVKgJQp.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2196	1720	wscript.exe	84
PID 1720 wrote to memory of 2196	1720	wscript.exe	84
PID 1720 wrote to memory of 1708	1720	wscript.exe	85
PID 1720 wrote to memory of 1708	1720	wscript.exe	85
PID 1708 wrote to memory of 4864	1708	javaw.exe	87
PID 1708 wrote to memory of 4864	1708	javaw.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\83515551eaa1178801cc99a303160826.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2196
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pdfooablue.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
00e359c2e17c7c129e3b2920f9657f83

SHA1
c2fe4ece42475deaf81473e9109205af5c56dfc4

SHA256
ee58513f912d890e5e24f6f986cffc71c4240c7df406642efb1c63b1df25760f

SHA512
9eb36517b604681920d9ed5b799060b1b469d8cba614396da7e8e9a7d1430b24e5c9ae9cd05b701c415068d31781c697d396e5c6cac488f155b5a9ecff2651f1

Download Submit
C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.js

Filesize
10KB

MD5
20db8f29d1db93e67b8b2ad6196d9e37

SHA1
ce499527cae2ea611057d5dc952132b0d948eba4

SHA256
349e780cca53f741459e1da002e177b536bf4eb7c69f5d3efaa6c4287bcfa985

SHA512
71950c00ace082834e8b13ccc869a5d13c1ee0fe83e170ea3714b0a4279bad2d560f2dd6c2f200bddd4a00b241ff6553db9f6c8156cda7b60f0c08629512bfd3

Download Submit
C:\Users\Admin\AppData\Roaming\pdfooablue.txt

Filesize
89KB

MD5
7873269dd388d4ff3dbe9f020e121e89

SHA1
d50b0740bab0ebc4cf6b3cc4c586632f6dc9e13e

SHA256
bc12cbf509a1f5bff1dea9896aae44b9bc119115bf38349f6caabbbf99e0e919

SHA512
36fdd31209b3448dc32100f733c048b063521bade50a5dd8a3945b7acc5b504115036a6c37bf37ac99b31cf4f94a63b7040224bcf5d8b0c3d2bc93e4bb0fc818

Download Submit
memory/1708-46-0x000001B1AD550000-0x000001B1AD560000-memory.dmp

Filesize
64KB

Download
memory/1708-49-0x000001B1AD510000-0x000001B1AD520000-memory.dmp

Filesize
64KB

Download
memory/1708-29-0x000001B1AD230000-0x000001B1AD231000-memory.dmp

Filesize
4KB

Download
memory/1708-35-0x000001B1AD230000-0x000001B1AD231000-memory.dmp

Filesize
4KB

Download
memory/1708-40-0x000001B1AD250000-0x000001B1AE250000-memory.dmp

Filesize
16.0MB

Download
memory/1708-45-0x000001B1AD4D0000-0x000001B1AD4E0000-memory.dmp

Filesize
64KB

Download
memory/1708-47-0x000001B1AD4F0000-0x000001B1AD500000-memory.dmp

Filesize
64KB

Download
memory/1708-11-0x000001B1AD250000-0x000001B1AE250000-memory.dmp

Filesize
16.0MB

Download
memory/1708-48-0x000001B1AD500000-0x000001B1AD510000-memory.dmp

Filesize
64KB

Download
memory/1708-25-0x000001B1AD250000-0x000001B1AE250000-memory.dmp

Filesize
16.0MB

Download
memory/1708-50-0x000001B1AD530000-0x000001B1AD540000-memory.dmp

Filesize
64KB

Download
memory/1708-52-0x000001B1AD560000-0x000001B1AD570000-memory.dmp

Filesize
64KB

Download
memory/1708-51-0x000001B1AD540000-0x000001B1AD550000-memory.dmp

Filesize
64KB

Download
memory/1708-55-0x000001B1AD250000-0x000001B1AE250000-memory.dmp

Filesize
16.0MB

Download
memory/1708-57-0x000001B1AD5A0000-0x000001B1AD5B0000-memory.dmp

Filesize
64KB

Download
memory/1708-56-0x000001B1AD590000-0x000001B1AD5A0000-memory.dmp

Filesize
64KB

Download
memory/1708-54-0x000001B1AD580000-0x000001B1AD590000-memory.dmp

Filesize
64KB

Download
memory/1708-53-0x000001B1AD570000-0x000001B1AD580000-memory.dmp

Filesize
64KB

Download
memory/1708-58-0x000001B1AD250000-0x000001B1AE250000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads