vjw0rm | 83f29dce703be1732adc93f87a9d418777a0955c4de7420f7d771f3935483881

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a065238ec6aab09b7140941fa0fb8bdb.jar
Size

128KB
MD5

a065238ec6aab09b7140941fa0fb8bdb
SHA1

8b5288027cd4da2113e1721e8ef681eb8cbb183b
SHA256

83f29dce703be1732adc93f87a9d418777a0955c4de7420f7d771f3935483881
SHA512

ad51b5eb8110ccffaab3123e27719a8217d62bb0480b41ee598408c14f9a00feddff248c8b6d1b688bc275efdb0b76d47d97d4418b60c5eb302bee3da49dc132
SSDEEP

3072:simtZN7NN1Mate9rPXBJuZUNH03gDyUcn9Gdgn2Ba2n50TfZR7d:siUZQacNXBJtNHMgDou09Bd

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InusojdVsj.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InusojdVsj.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\InusojdVsj.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 2292 wrote to memory of 2656	2292	java.exe	wscript.exe
PID 2292 wrote to memory of 2656	2292	java.exe	wscript.exe
PID 2292 wrote to memory of 2656	2292	java.exe	wscript.exe
PID 2656 wrote to memory of 1712	2656	wscript.exe	WScript.exe
PID 2656 wrote to memory of 1712	2656	wscript.exe	WScript.exe
PID 2656 wrote to memory of 1712	2656	wscript.exe	WScript.exe
PID 2656 wrote to memory of 2716	2656	wscript.exe	javaw.exe
PID 2656 wrote to memory of 2716	2656	wscript.exe	javaw.exe
PID 2656 wrote to memory of 2716	2656	wscript.exe	javaw.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a065238ec6aab09b7140941fa0fb8bdb.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\[output].js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\InusojdVsj.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:1712
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zxxdhin.txt"
    3⤵
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InusojdVsj.js

Filesize
9KB

MD5
acdd72a293289dbfe9a9866984d1dbc1

SHA1
839a8923410dbfb36b0c796836a0e8317b6f2d3b

SHA256
edd99e881e53c2358935d93b3dddcf5da650ee0176e1eec533df662c3c38140e

SHA512
accc78f30b3653cfc84ed042a02e4eaf1bdc1c6aaf8f60725ff9a569da08ff875abc7abe26cac291742755a5a06c7a483c32ebe2261b74e169169c805ba1cca7

Download Submit
C:\Users\Admin\AppData\Roaming\zxxdhin.txt

Filesize
92KB

MD5
d586663f3ff01f6ccddc890a9013aad6

SHA1
4ed9f24d7eeda73c96fef0128d991cfab005e0f8

SHA256
a32832b7da66a6c36a28bc5f2d49b70a555980032d4d0f823cf514089e226b59

SHA512
a1b8c0336ee6c8323329ba1c4a892943e238c1dbad15d78bdf5ae4fc089b397c4dce4770dfe03752cddf52819b62106cbb1a960ebaa0c4125df01a42846ebb98

Download Submit
C:\Users\Admin\[output].js

Filesize
202KB

MD5
c3504573a507f9639bb38881251021f8

SHA1
94e53406b7d2f0f85426e2135f75f34830d25a66

SHA256
000e30e8698bb39cc23124678b97c3d17532cb204e4e7de31b45d917ce716d1e

SHA512
65bb0b5b5e6e8a60596066db04b26309204e2db12b8916e518b3b2c97ff25fe26d6f0f18204475b6aff44b649ea8de56e3a1b8fb10b740f20c4ab64974ec94f4

Download Submit
memory/2292-8-0x00000000025C0000-0x00000000055C0000-memory.dmp

Filesize
48.0MB

Download
memory/2292-12-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2716-23-0x0000000002610000-0x0000000005610000-memory.dmp

Filesize
48.0MB

Download
memory/2716-31-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-32-0x0000000002610000-0x0000000005610000-memory.dmp

Filesize
48.0MB

Download