vjw0rm | 62bca662223a0017baef72c972f7a626e527b1aae6794461851a47533ad38825

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-02-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958b76889b6838f35a81e5a67f2e58f5.jar
Size

128KB
MD5

958b76889b6838f35a81e5a67f2e58f5
SHA1

aad0e3fa3460df2e1466048ddf172b0208b16789
SHA256

62bca662223a0017baef72c972f7a626e527b1aae6794461851a47533ad38825
SHA512

fb7a709f7457e64b4470c030bde5d942b342273809ae4b4ea4eca1b14a86d7b3bbd0b533e6e1979bf2360a12ebb75d961a90fc056ff02f1536fd00b295963bdc
SSDEEP

3072:bp2hBCNHl4WbH3dN3HEVy0091wNyY9sjtnHqwFXVbaA5faS0c:bp2vCNHTD8F0n3ljxHqyghY

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrvKczAWPy.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrvKczAWPy.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\TrvKczAWPy.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2904	2932	java.exe	29
PID 2932 wrote to memory of 2904	2932	java.exe	29
PID 2932 wrote to memory of 2904	2932	java.exe	29
PID 2904 wrote to memory of 2860	2904	wscript.exe	30
PID 2904 wrote to memory of 2860	2904	wscript.exe	30
PID 2904 wrote to memory of 2860	2904	wscript.exe	30
PID 2904 wrote to memory of 2832	2904	wscript.exe	31
PID 2904 wrote to memory of 2832	2904	wscript.exe	31
PID 2904 wrote to memory of 2832	2904	wscript.exe	31

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\958b76889b6838f35a81e5a67f2e58f5.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\[output].js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TrvKczAWPy.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2860
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\yvvrhcwlpx.txt"
    3⤵
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TrvKczAWPy.js

Filesize
9KB

MD5
cf858266b13ee357cf8f5f5e12151885

SHA1
7a460ee3ad3c7b42c98676a39412ba5245fa8757

SHA256
5929e5fe4b3864ee6d9218b91dd88ca9f8a30a235d3a42ee587d3a1f8ef68a6f

SHA512
69075ef84e7ec1ee05faa059d67dd1ce7439e886c83fbb9572858b6a4051cdab96212a0544260fd2a3d257534908e17c46c480c96b455686b133b9a565e09058

Download Submit
C:\Users\Admin\AppData\Roaming\yvvrhcwlpx.txt

Filesize
92KB

MD5
3e93005e30804f380c9c3fb392c32e4d

SHA1
68b3a053276a14c8059d58eab447927868f2f785

SHA256
7d14c63974afd53f32e6b5b5d22f0e0e6d49e4a04b67b4670ebeaf8c2a658b64

SHA512
307f8de410b15e2f28740bf776d27c201d9eebd2a5936757becddfb31ed9724f2ab866bdeac0ddd5184aa91457a276379a0a08fb24830df57d854e5c450fd129

Download Submit
C:\Users\Admin\[output].js

Filesize
202KB

MD5
37c0373548f1334764a0fe139bc4b0e4

SHA1
bea7360b7252701f1a1411d7a84c9ac631267559

SHA256
330d4d4c03364842209ab162eabb72fc9e5aa9c0b7271bd83599cb27f492601c

SHA512
bdcd45ccdf92966b5733f286a4608dfb3fc4566715045e80a92edebbf827db3994a91176e8f1945785c0af9d103259c192ae44561fe0c8d5c0286c62c2b0b4e3

Download Submit
memory/2832-23-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download
memory/2832-31-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2832-32-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download
memory/2932-9-0x0000000002000000-0x0000000005000000-memory.dmp

Filesize
48.0MB

Download
memory/2932-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads