vjw0rm | 23470d051b914ebef24b5963b5cdfc2d88feedd783fd85766d1eb0397314b75e

General

Target

8e23008d7ada844193b579c1194ed0bb.jar
Size

129KB
MD5

8e23008d7ada844193b579c1194ed0bb
SHA1

e41203fbb4e3fc56da36de0f16da8ea013835455
SHA256

23470d051b914ebef24b5963b5cdfc2d88feedd783fd85766d1eb0397314b75e
SHA512

aa65bb14c09782f67870278d97ab783dbe88c97d62cff44d2fbae649cb1b8ff045231df8b51e0b5ff695173a57b155be7b1b377dee5aa1df5c99a0d31f5e9cde
SSDEEP

3072:FMT7X2SUszVuItHjPpPeM3jbFO6C11vZYPULkHImQq+MXa5Sh9UALa:FGMszVuKDPgM3jbFOXfvy1dQqjaOG

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vBlHdPbRXO.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vBlHdPbRXO.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\vBlHdPbRXO.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2596	1688	java.exe	29
PID 1688 wrote to memory of 2596	1688	java.exe	29
PID 1688 wrote to memory of 2596	1688	java.exe	29
PID 2596 wrote to memory of 2836	2596	wscript.exe	30
PID 2596 wrote to memory of 2836	2596	wscript.exe	30
PID 2596 wrote to memory of 2836	2596	wscript.exe	30
PID 2596 wrote to memory of 1648	2596	wscript.exe	31
PID 2596 wrote to memory of 1648	2596	wscript.exe	31
PID 2596 wrote to memory of 1648	2596	wscript.exe	31

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\8e23008d7ada844193b579c1194ed0bb.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\fttmjknmdk.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vBlHdPbRXO.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2836
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\yhjtcckrx.txt"
    3⤵
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vBlHdPbRXO.js

Filesize
10KB

MD5
3d1f00e48df980bbe27e044f1806ac45

SHA1
ca18bf1aa56088a4b4fc662641db53e759ca02c5

SHA256
c662504121a016a1d03230f2b588dc3e46a0dc535b374ceea2812b5edd5bb03f

SHA512
925521347e5797e64091baa676a1a28e1ba34bde07672ed2a830c7487ad1a216c499eb2dcd646255bbe2d6944ba283924e9f0ed92ad33f1bcc17c16655ab9dd3

Download Submit
C:\Users\Admin\AppData\Roaming\yhjtcckrx.txt

Filesize
92KB

MD5
2609351f059049d57f3c3acb42f6ceba

SHA1
f028f2c40bd349772b0ee2a50ce15faa692e5b90

SHA256
050bd188e324cf2070656fda15505df4e8663377e7a62bc5cb7d3fceefdde25f

SHA512
d797b768fc8adf63776f6011695a63998729c4a227c4002ec9cbe52e2431d50496e745c2833ee00db951dde49b3c2ba4692d01057253b5259a65d0aa5f8208ea

Download Submit
C:\Users\Admin\fttmjknmdk.js

Filesize
205KB

MD5
039aa1459dff7f925387f99398485238

SHA1
ae030e4bc78bc8725ffb7911d77a820003059531

SHA256
43b48dab6f4327b867221688c4f77d57a43faba5067698dd37c8d1a63229056a

SHA512
484d67e334512eedf4636606b16b03032e4ac7d28d450d28789b3a8a3b6dadac573aeb9d34d2d2e66f1e2f839da410c8ef12b602d0a4db37c0b72c3671079503

Download Submit
memory/1648-43-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-30-0x00000000025E0000-0x00000000055E0000-memory.dmp

Filesize
48.0MB

Download
memory/1648-31-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-32-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-39-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-40-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-80-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-74-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-49-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-57-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-61-0x00000000025E0000-0x00000000055E0000-memory.dmp

Filesize
48.0MB

Download
memory/1648-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1688-12-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1688-9-0x00000000025B0000-0x00000000055B0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads