vjw0rm | 9fd94aca819af4ae40e78aaebc42c92af94539135ccd50839626a2565106f9e9

General

Target

9a7ad3d3d82e36a33e673af5a6ad66ea.js
Size

200KB
MD5

9a7ad3d3d82e36a33e673af5a6ad66ea
SHA1

9b4683b9ff01722e54bca2b88789ff6304978e32
SHA256

9fd94aca819af4ae40e78aaebc42c92af94539135ccd50839626a2565106f9e9
SHA512

1412efe123cba05e5982a379bf8ee3afcc3fb384dbd0b9efe739d8ecbc30823dd26be1198d71cb594dedeaf2e26e757bb17e67d6b19680e36b2a8ba970df8479
SSDEEP

3072:4q+Ly+xa+i9bNCmcaOz7M8UDFDV/n1jyC4cBchiD3+C5hKkjQXRJp:jki9Imca0MVRhZyNCYiDO1kEnp

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YphdXIgjJq.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YphdXIgjJq.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4844	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\YphdXIgjJq.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3416	1436	wscript.exe	85
PID 1436 wrote to memory of 3416	1436	wscript.exe	85
PID 1436 wrote to memory of 2260	1436	wscript.exe	86
PID 1436 wrote to memory of 2260	1436	wscript.exe	86
PID 2260 wrote to memory of 4844	2260	javaw.exe	88
PID 2260 wrote to memory of 4844	2260	javaw.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9a7ad3d3d82e36a33e673af5a6ad66ea.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YphdXIgjJq.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3416
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hlmcmpzhue.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
f8f8238d6351c676006d7b1a2a72a1df

SHA1
eadb78a42d1fd031fc68d7d6e9804db1974188d2

SHA256
5adeb6a7c7a353a87316edf5cc4a54633222bf1804602ccd6d31a72e496a5557

SHA512
3678818407d2013c345076af99863b8b56663329733fab634f11fb2325072c09d79348c4588d5a5a1a32e8e06553a39c65f50305e8e2e012719bc93827b153a1

Download Submit
C:\Users\Admin\AppData\Roaming\YphdXIgjJq.js

Filesize
9KB

MD5
fa16c7f592354e070b5c0fb6cdfc3272

SHA1
6c3d396632bfb1d78777d921dfc9feada2722225

SHA256
5207094802b5e244704fe007c0a86485f08eead9cda6c6776b8b7972c3af8e68

SHA512
a9746fd10a469f2f8ead79338fb2ec2e6a50a7f27f66de547baeac6951726f680b233d13149296196b188d483ed809bac40fa95843b62385a3583c89a1a5ea3c

Download Submit
C:\Users\Admin\AppData\Roaming\hlmcmpzhue.txt

Filesize
92KB

MD5
2e458a59025b390fbdf7d3717314b507

SHA1
d5a84f501bfa81682ebde5e31a68794140141785

SHA256
6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

SHA512
2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

Download Submit
memory/2260-11-0x000001534D910000-0x000001534E910000-memory.dmp

Filesize
16.0MB

Download
memory/2260-24-0x000001534D910000-0x000001534E910000-memory.dmp

Filesize
16.0MB

Download
memory/2260-23-0x000001534DB90000-0x000001534DBA0000-memory.dmp

Filesize
64KB

Download
memory/2260-25-0x000001534D910000-0x000001534E910000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads