vjw0rm | 959c3c857866b02879204acd58e128eb352a3e7004362cfdc1a5703518bf9a4d

General

Target

a626d7243811dc4d8ccca242d6795316.jar
Size

627KB
MD5

a626d7243811dc4d8ccca242d6795316
SHA1

513cc770efdea98330eaf69e87dc9b0b54fb6faa
SHA256

959c3c857866b02879204acd58e128eb352a3e7004362cfdc1a5703518bf9a4d
SHA512

6ed975a6f358cd5c9fbc211c468accccbc98fc46a01e40c5f376857b572d9e3bf317f7450d870f6e80d6c3f2c9435d755e4b71341b50493b1b5b889fc4ffa5a0
SSDEEP

12288:DzfOwy3k0VQxylA2fOkE4Xrp68OcIDApGxGSA59Z/6Q9CbMsRdHladw/7p:Dzvy3k0Gou2ZE4XMr0GE8VHYdwjp

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psNSdLENFy.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psNSdLENFy.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2784	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\psNSdLENFy.js\""	WScript.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2784	4232	java.exe	89
PID 4232 wrote to memory of 2784	4232	java.exe	89
PID 4232 wrote to memory of 4356	4232	java.exe	91
PID 4232 wrote to memory of 4356	4232	java.exe	91
PID 4356 wrote to memory of 5016	4356	wscript.exe	92
PID 4356 wrote to memory of 5016	4356	wscript.exe	92
PID 4356 wrote to memory of 5008	4356	wscript.exe	94
PID 4356 wrote to memory of 5008	4356	wscript.exe	94
PID 5008 wrote to memory of 4904	5008	javaw.exe	96
PID 5008 wrote to memory of 4904	5008	javaw.exe	96

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a626d7243811dc4d8ccca242d6795316.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2784
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\psNSdLENFy.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:5016
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fxxvculv.txt"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.36479135449167826946866981503147560.class
      4⤵
      Drops file in Program Files directory
      PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
13c6864196a4b2d0c172de94a51cf906

SHA1
cddde742466d373568f200319d66f8bde018efee

SHA256
6bfe6f64d66d21289ea3a258be23d63f1142c1199a0dc31271300bf1337382ed

SHA512
d06ca7f575673a6f38ddf684192b5a7c6c3f5ff83d21a6db8e4b8543c6e7f5f6269139d365de3960cf0678d0503df5f00e02088e9796c7e5ce0f9cda8c96f2ae

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e5d72e54a9365a3d37f4fdcd46f76751

SHA1
3699052726b83347b9218977a3655ab0bbd2b7d9

SHA256
ae7cfb8b4afb30c20e4727ab9501517771667937e394b631572a92edd88ef702

SHA512
e9a5800d87846c6fd74e01c9f8931744f349471a58e866875097e0422ebc46564a49537f5ae618fbb2186a1bdf969500bb9d94713c6bbf10e1a8562939bf1ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.36479135449167826946866981503147560.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2132103209-3755304320-2959162027-1000\83aa4cc77f591dfc2374580bbd95f6ba_d7afbcf0-70bf-4bfe-b7d9-2036baed77c1

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\fxxvculv.txt

Filesize
479KB

MD5
2bc77cbaca6f8ac04a0e4d698cf5133a

SHA1
34252120652ba3a20588aa557337538d21e5ed88

SHA256
a87af64dfea31dd2e08ae33b9a595b37ed4fa1511f195caa498ee9d51199528c

SHA512
fc14834e588ac87ea762a181ac12d1a59ca0fc60edb20ac1323493543760b641a6d9951c1bc3e04c66cf3692a284b793eff2cf9d8ab4050fb58d543780c24563

Download Submit
C:\Users\Admin\AppData\Roaming\psNSdLENFy.js

Filesize
9KB

MD5
07e26d97dd43f02c7ec44c8840a86929

SHA1
6e14f39eb51a4c9eb050432871c4d2c2476f3db8

SHA256
f853432ce4c3522230e2c7dfba170fd36a694c3907ca7191b0c1328eb1a71a72

SHA512
b08061471ed3cc18db189fb8615971860e9feb630a7f4adcaa544900fc19d2596fb6b01991076f9e0b31cde31fd9453a74d280f33c813f46ed1b47ca927752f9

Download Submit
C:\Users\Admin\_output.js

Filesize
911KB

MD5
4947f7f200a807ea0a916c8fe8fb77e1

SHA1
45eb227ad8019303e07e73001bf9f4cae39ddaab

SHA256
cd846dc05b92854bc148f4547bd5f3da192b420218a371b8c64a54601d3de16c

SHA512
aea4ef3dd95039c03401614e4cefde743a8540376508881f3c2052279efd338979f1f3e7b7258f8cc3dd097ca8598a3d2b3b6f6e216bbba2fc1b6ad92a15c7b9

Download Submit
memory/4232-14-0x0000020A2CA10000-0x0000020A2CA11000-memory.dmp

Filesize
4KB

Download
memory/4232-4-0x0000020A2E1E0000-0x0000020A2F1E0000-memory.dmp

Filesize
16.0MB

Download
memory/4904-62-0x000001B2664B0000-0x000001B2664B1000-memory.dmp

Filesize
4KB

Download
memory/4904-71-0x000001B267FD0000-0x000001B267FE0000-memory.dmp

Filesize
64KB

Download
memory/4904-56-0x000001B2664B0000-0x000001B2664B1000-memory.dmp

Filesize
4KB

Download
memory/4904-43-0x000001B267D60000-0x000001B268D60000-memory.dmp

Filesize
16.0MB

Download
memory/5008-74-0x0000024281690000-0x00000242816A0000-memory.dmp

Filesize
64KB

Download
memory/5008-30-0x0000024281410000-0x0000024282410000-memory.dmp

Filesize
16.0MB

Download
memory/5008-42-0x00000242FF950000-0x00000242FF951000-memory.dmp

Filesize
4KB

Download
memory/5008-58-0x0000024281410000-0x0000024282410000-memory.dmp

Filesize
16.0MB

Download
memory/5008-75-0x00000242816B0000-0x00000242816C0000-memory.dmp

Filesize
64KB

Download
memory/5008-76-0x00000242816C0000-0x00000242816D0000-memory.dmp

Filesize
64KB

Download
memory/5008-77-0x00000242816D0000-0x00000242816E0000-memory.dmp

Filesize
64KB

Download
memory/5008-78-0x00000242816E0000-0x00000242816F0000-memory.dmp

Filesize
64KB

Download
memory/5008-79-0x0000024281410000-0x0000024282410000-memory.dmp

Filesize
16.0MB

Download
memory/5008-80-0x0000024281410000-0x0000024282410000-memory.dmp

Filesize
16.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads