Overview

overview

10

Static

static

1

8ca1ecf268...14.jar

windows7-x64

10

8ca1ecf268...14.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ca1ecf268ce85ceb8855ac8e2c55414.jar

  • Size

    123KB

  • MD5

    8ca1ecf268ce85ceb8855ac8e2c55414

  • SHA1

    40cb27e69cff3e53a252a9d539fa60314ac4e3a7

  • SHA256

    9d4b71f7a7886232ed1977d2c92870637ffc08dba838b20245ad60aeb7d2b102

  • SHA512

    9ddaebdade5d99b2a12e0753a7dd7f4a81857b8654461bfe2119cade2665f5db33a769788a3d72f2582a20ba7fe736033882cc279c16759a14c025b920130605

  • SSDEEP

    3072:ZLLB9Vo35PRErXjMOKCaOgyeAz1+i1GMcU6A7Auka/:ZvLVo3TYMtZA+HA6Ja/

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\8ca1ecf268ce85ceb8855ac8e2c55414.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:316
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\_output.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\cTmNhYTLpQ.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        PID:1452
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\niyhvuaacc.txt"
        3⤵
        • Drops file in Program Files directory
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    28b06263aec0f70d1aae1449e8ca5cbd

    SHA1

    fde96b7e14bed5ca334f2289a9521181310d9d6e

    SHA256

    c9ce53f698fc987c7d058e689be03814064a6c8343acb93fb535459f62ebca55

    SHA512

    9c8877b79ce7e8bc6f50606952be8e2d461e1856fa4a1d5eccf9595a8c106129474a7f410f86ac05fe66a79e7db2a27fc39caa11125bdc4ebf3febbb89aaeb62

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cTmNhYTLpQ.js
    Filesize

    9KB

    MD5

    685b1b2952c8efe8584d692840416ebb

    SHA1

    d52696d12e7aa7b5c3757bfc0d524e11a527edba

    SHA256

    a0468409b7c7800ce0b1df997097525357bb2b93686afba5e5f82dd03667c00c

    SHA512

    7b173df0ef8b2045f65980e2ea657a544551b4809eb6d82b5eed829e5858fab4966e500912f193d2a6382974f2d1c775a93454f562a6a826d6a191dec7f39868

    Download Submit

  • C:\Users\Admin\AppData\Roaming\niyhvuaacc.txt
    Filesize

    88KB

    MD5

    468ec549c270898563a0d61e42a3bd17

    SHA1

    6bbd046226d2a87abd4e24d9831e029d97f5e0c7

    SHA256

    ba97fd311dcae06ced279a1a5503252c7c0986a28e4168f0f96b4afcbcb7f79b

    SHA512

    e9071cd00f5c12810e08655f9dedd740fa3052132467a1596056d986a505d980fde4a0bac0d9ff573b630fd0c5b4aeec05b878bd3d05c549e9745fe26dbc8039

    Download Submit

  • C:\Users\Admin\_output.js
    Filesize

    195KB

    MD5

    9e872de7115891e5eea6c64be9164ad9

    SHA1

    c279eb494fbf5cd0a398fb02c4b10e8728b4198b

    SHA256

    019a6c3f10ef4440d4c08462eaca4acca8f58e16bc375c0483336368bc919457

    SHA512

    b9d651f7f4bc7edbd4f66c0acad209bcbc3268a648a02cff5b19b5f30eafe2c6e1ade7ce617f4b16433585cf3aa3f13a25f665a7541371af0e587c2a472453db

    Download Submit

  • memory/2360-4-0x000001FD54A80000-0x000001FD55A80000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2360-14-0x000001FD54A60000-0x000001FD54A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-39-0x000002AA36310000-0x000002AA37310000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2576-33-0x000002AA362F0000-0x000002AA362F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-30-0x000002AA36310000-0x000002AA37310000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2576-44-0x000002AA362F0000-0x000002AA362F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-48-0x000002AA365A0000-0x000002AA365B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-47-0x000002AA36590000-0x000002AA365A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-49-0x000002AA365B0000-0x000002AA365C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-50-0x000002AA365D0000-0x000002AA365E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-51-0x000002AA365E0000-0x000002AA365F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-52-0x000002AA36310000-0x000002AA37310000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2576-53-0x000002AA36310000-0x000002AA37310000-memory.dmp

    Filesize

    16.0MB

    Download