vjw0rm | 83f29dce703be1732adc93f87a9d418777a0955c4de7420f7d771f3935483881

General

Target

a065238ec6aab09b7140941fa0fb8bdb.jar
Size

128KB
MD5

a065238ec6aab09b7140941fa0fb8bdb
SHA1

8b5288027cd4da2113e1721e8ef681eb8cbb183b
SHA256

83f29dce703be1732adc93f87a9d418777a0955c4de7420f7d771f3935483881
SHA512

ad51b5eb8110ccffaab3123e27719a8217d62bb0480b41ee598408c14f9a00feddff248c8b6d1b688bc275efdb0b76d47d97d4418b60c5eb302bee3da49dc132
SSDEEP

3072:simtZN7NN1Mate9rPXBJuZUNH03gDyUcn9Gdgn2Ba2n50TfZR7d:siUZQacNXBJtNHMgDou09Bd

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InusojdVsj.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InusojdVsj.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1796	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\InusojdVsj.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1796	1200	java.exe	84
PID 1200 wrote to memory of 1796	1200	java.exe	84
PID 1200 wrote to memory of 2812	1200	java.exe	86
PID 1200 wrote to memory of 2812	1200	java.exe	86
PID 2812 wrote to memory of 4036	2812	wscript.exe	88
PID 2812 wrote to memory of 4036	2812	wscript.exe	88
PID 2812 wrote to memory of 4952	2812	wscript.exe	89
PID 2812 wrote to memory of 4952	2812	wscript.exe	89

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a065238ec6aab09b7140941fa0fb8bdb.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1796
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\[output].js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\InusojdVsj.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:4036
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fuiypoi.txt"
    3⤵
    - Drops file in Program Files directory
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
cb99c8b865886d4a3492695a6cb6acb0

SHA1
594d1adb773f6563031d8d91f52fc98334cf11b7

SHA256
c51df4ac7b8743b35e38ffb619410c92c0a1a85fbe55a8a8876d6ff87e7a55fd

SHA512
e47852aa9aa47c0c90f0c6d7ae9b1a01236e30159c1cf88841baddb7957802029e14c52e9106fb95fb7f5f49c17507db46fe3e8024f2508579d5952ba1f5115b

Download Submit
C:\Users\Admin\AppData\Roaming\InusojdVsj.js

Filesize
9KB

MD5
acdd72a293289dbfe9a9866984d1dbc1

SHA1
839a8923410dbfb36b0c796836a0e8317b6f2d3b

SHA256
edd99e881e53c2358935d93b3dddcf5da650ee0176e1eec533df662c3c38140e

SHA512
accc78f30b3653cfc84ed042a02e4eaf1bdc1c6aaf8f60725ff9a569da08ff875abc7abe26cac291742755a5a06c7a483c32ebe2261b74e169169c805ba1cca7

Download Submit
C:\Users\Admin\AppData\Roaming\fuiypoi.txt

Filesize
92KB

MD5
d586663f3ff01f6ccddc890a9013aad6

SHA1
4ed9f24d7eeda73c96fef0128d991cfab005e0f8

SHA256
a32832b7da66a6c36a28bc5f2d49b70a555980032d4d0f823cf514089e226b59

SHA512
a1b8c0336ee6c8323329ba1c4a892943e238c1dbad15d78bdf5ae4fc089b397c4dce4770dfe03752cddf52819b62106cbb1a960ebaa0c4125df01a42846ebb98

Download Submit
C:\Users\Admin\[output].js

Filesize
202KB

MD5
c3504573a507f9639bb38881251021f8

SHA1
94e53406b7d2f0f85426e2135f75f34830d25a66

SHA256
000e30e8698bb39cc23124678b97c3d17532cb204e4e7de31b45d917ce716d1e

SHA512
65bb0b5b5e6e8a60596066db04b26309204e2db12b8916e518b3b2c97ff25fe26d6f0f18204475b6aff44b649ea8de56e3a1b8fb10b740f20c4ab64974ec94f4

Download Submit
memory/1200-6-0x00000233925F0000-0x00000233935F0000-memory.dmp

Filesize
16.0MB

Download
memory/1200-14-0x00000233925D0000-0x00000233925D1000-memory.dmp

Filesize
4KB

Download
memory/1200-61-0x00000233925F0000-0x00000233935F0000-memory.dmp

Filesize
16.0MB

Download
memory/4952-40-0x0000015580000000-0x0000015581000000-memory.dmp

Filesize
16.0MB

Download
memory/4952-33-0x00000155F9A90000-0x00000155F9A91000-memory.dmp

Filesize
4KB

Download
memory/4952-54-0x0000015580280000-0x0000015580290000-memory.dmp

Filesize
64KB

Download
memory/4952-53-0x0000015580000000-0x0000015581000000-memory.dmp

Filesize
16.0MB

Download
memory/4952-56-0x00000155802B0000-0x00000155802C0000-memory.dmp

Filesize
64KB

Download
memory/4952-55-0x00000155802A0000-0x00000155802B0000-memory.dmp

Filesize
64KB

Download
memory/4952-57-0x00000155802C0000-0x00000155802D0000-memory.dmp

Filesize
64KB

Download
memory/4952-58-0x00000155802D0000-0x00000155802E0000-memory.dmp

Filesize
64KB

Download
memory/4952-59-0x00000155802E0000-0x00000155802F0000-memory.dmp

Filesize
64KB

Download
memory/4952-60-0x00000155802F0000-0x0000015580300000-memory.dmp

Filesize
64KB

Download
memory/4952-32-0x0000015580000000-0x0000015581000000-memory.dmp

Filesize
16.0MB

Download
memory/4952-62-0x0000015580000000-0x0000015581000000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads