vjw0rm | 62bca662223a0017baef72c972f7a626e527b1aae6794461851a47533ad38825

General

Target

958b76889b6838f35a81e5a67f2e58f5.jar
Size

128KB
MD5

958b76889b6838f35a81e5a67f2e58f5
SHA1

aad0e3fa3460df2e1466048ddf172b0208b16789
SHA256

62bca662223a0017baef72c972f7a626e527b1aae6794461851a47533ad38825
SHA512

fb7a709f7457e64b4470c030bde5d942b342273809ae4b4ea4eca1b14a86d7b3bbd0b533e6e1979bf2360a12ebb75d961a90fc056ff02f1536fd00b295963bdc
SSDEEP

3072:bp2hBCNHl4WbH3dN3HEVy0091wNyY9sjtnHqwFXVbaA5faS0c:bp2vCNHTD8F0n3ljxHqyghY

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrvKczAWPy.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrvKczAWPy.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2496	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\TrvKczAWPy.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2496	3720	java.exe	85
PID 3720 wrote to memory of 2496	3720	java.exe	85
PID 3720 wrote to memory of 1368	3720	java.exe	87
PID 3720 wrote to memory of 1368	3720	java.exe	87
PID 1368 wrote to memory of 4604	1368	wscript.exe	88
PID 1368 wrote to memory of 4604	1368	wscript.exe	88
PID 1368 wrote to memory of 4608	1368	wscript.exe	89
PID 1368 wrote to memory of 4608	1368	wscript.exe	89

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\958b76889b6838f35a81e5a67f2e58f5.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2496
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\[output].js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TrvKczAWPy.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:4604
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zhmyxomg.txt"
    3⤵
    - Drops file in Program Files directory
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
956bbea2850b36ccc7626f8d1259906a

SHA1
0bd30fd96fc18c5c16225abd972b35997f17c0df

SHA256
fbdda19940e9914ae183f4ef7d1600c1d838ad89e12349a32b87ecea0e1594c8

SHA512
e5280386d84a05e10e07fdeb0e74ad58b0ffdb5c5b32ab5a3dd919a34bd2a4afbda8a0fe9318d56069054242453a99562ecc10d4a70874d8ddcc6c93fc294cfe

Download Submit
C:\Users\Admin\AppData\Roaming\TrvKczAWPy.js

Filesize
9KB

MD5
cf858266b13ee357cf8f5f5e12151885

SHA1
7a460ee3ad3c7b42c98676a39412ba5245fa8757

SHA256
5929e5fe4b3864ee6d9218b91dd88ca9f8a30a235d3a42ee587d3a1f8ef68a6f

SHA512
69075ef84e7ec1ee05faa059d67dd1ce7439e886c83fbb9572858b6a4051cdab96212a0544260fd2a3d257534908e17c46c480c96b455686b133b9a565e09058

Download Submit
C:\Users\Admin\AppData\Roaming\zhmyxomg.txt

Filesize
92KB

MD5
3e93005e30804f380c9c3fb392c32e4d

SHA1
68b3a053276a14c8059d58eab447927868f2f785

SHA256
7d14c63974afd53f32e6b5b5d22f0e0e6d49e4a04b67b4670ebeaf8c2a658b64

SHA512
307f8de410b15e2f28740bf776d27c201d9eebd2a5936757becddfb31ed9724f2ab866bdeac0ddd5184aa91457a276379a0a08fb24830df57d854e5c450fd129

Download Submit
C:\Users\Admin\[output].js

Filesize
202KB

MD5
37c0373548f1334764a0fe139bc4b0e4

SHA1
bea7360b7252701f1a1411d7a84c9ac631267559

SHA256
330d4d4c03364842209ab162eabb72fc9e5aa9c0b7271bd83599cb27f492601c

SHA512
bdcd45ccdf92966b5733f286a4608dfb3fc4566715045e80a92edebbf827db3994a91176e8f1945785c0af9d103259c192ae44561fe0c8d5c0286c62c2b0b4e3

Download Submit
memory/3720-4-0x0000025E5FB40000-0x0000025E60B40000-memory.dmp

Filesize
16.0MB

Download
memory/3720-13-0x0000025E5FB20000-0x0000025E5FB21000-memory.dmp

Filesize
4KB

Download
memory/4608-39-0x000002CEDDD00000-0x000002CEDED00000-memory.dmp

Filesize
16.0MB

Download
memory/4608-33-0x000002CEDDCE0000-0x000002CEDDCE1000-memory.dmp

Filesize
4KB

Download
memory/4608-32-0x000002CEDDD00000-0x000002CEDED00000-memory.dmp

Filesize
16.0MB

Download
memory/4608-44-0x000002CEDDD00000-0x000002CEDED00000-memory.dmp

Filesize
16.0MB

Download
memory/4608-51-0x000002CEDDCE0000-0x000002CEDDCE1000-memory.dmp

Filesize
4KB

Download
memory/4608-54-0x000002CEDDD00000-0x000002CEDED00000-memory.dmp

Filesize
16.0MB

Download
memory/4608-57-0x000002CEDDF80000-0x000002CEDDF90000-memory.dmp

Filesize
64KB

Download
memory/4608-58-0x000002CEDDFB0000-0x000002CEDDFC0000-memory.dmp

Filesize
64KB

Download
memory/4608-59-0x000002CEDDFC0000-0x000002CEDDFD0000-memory.dmp

Filesize
64KB

Download
memory/4608-60-0x000002CEDDFE0000-0x000002CEDDFF0000-memory.dmp

Filesize
64KB

Download
memory/4608-61-0x000002CEDDD00000-0x000002CEDED00000-memory.dmp

Filesize
16.0MB

Download
memory/4608-62-0x000002CEDDD00000-0x000002CEDED00000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads