vjw0rm | e69e8751b597257f5e4f6a3fe1fdfa0ef273d8c6c6a7b1e620e392aee0cc64e4

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63a2f41efeaf76634460ebf1b32226d.jar
Size

125KB
MD5

b63a2f41efeaf76634460ebf1b32226d
SHA1

a45e1e55cc9aef31f2d9a60a11693e2d5d172fbe
SHA256

e69e8751b597257f5e4f6a3fe1fdfa0ef273d8c6c6a7b1e620e392aee0cc64e4
SHA512

4b5ad11c67e8ca623c4e38b6fef15ce262ad5f2b4319aac2b4df57504c067b5b8240e9490ef686d0c2c40e2b9185b6ef1551e84bba2c6b58766e752860931faa
SSDEEP

3072:rGMG3YXiOSXwVB8iJjzVhZnX3R+lIL+TqQN7JmhPxd8w:rGIio8M7xXIlLTqa7ohPv8w

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKaUarDZDG.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKaUarDZDG.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\tKaUarDZDG.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2944	2308	java.exe	29
PID 2308 wrote to memory of 2944	2308	java.exe	29
PID 2308 wrote to memory of 2944	2308	java.exe	29
PID 2944 wrote to memory of 2604	2944	wscript.exe	30
PID 2944 wrote to memory of 2604	2944	wscript.exe	30
PID 2944 wrote to memory of 2604	2944	wscript.exe	30
PID 2944 wrote to memory of 2480	2944	wscript.exe	31
PID 2944 wrote to memory of 2480	2944	wscript.exe	31
PID 2944 wrote to memory of 2480	2944	wscript.exe	31

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\b63a2f41efeaf76634460ebf1b32226d.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\usdbfroxqt.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tKaUarDZDG.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2604
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mklksuhhss.txt"
    3⤵
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mklksuhhss.txt

Filesize
92KB

MD5
e960b9b8954afa303d7989eed1290637

SHA1
a42410c56fb024243014c29334152c209ab88873

SHA256
4439ce946a74288bc91360bee4b7ef43e7efeced81432ba10728220c323d7c7f

SHA512
cdb3f0e2911f1841919847903c6f6bd695e3f15106c1a5b7fa19b70e549967beefa7c32c87a1a2040bbc2b7a75b1a90adc7a7e113f519e15b09f62dc0ea473c8

Download Submit
C:\Users\Admin\AppData\Roaming\tKaUarDZDG.js

Filesize
5KB

MD5
1f7a1f50ddcaacd7c16098f452ae3ea9

SHA1
c31e3feb895e9b69db5e014cc42a2b3e03473016

SHA256
f14d01dc44ad040b5c3a8b418aa4c27bc476f0c5bd7af5e1554547fe0f6bb2ef

SHA512
6835fe9faac663378a6bd96e4dcba1f492d4dc488d410e019a965ca3c989c0d66d39f71b213a579c0e55fa4e52deb542b64c9b68108763af6ffed89414867271

Download Submit
C:\Users\Admin\usdbfroxqt.js

Filesize
191KB

MD5
af85d8109ff251f1db6191b46ef8c66f

SHA1
b1f6c58407bd70c4819db5eecfbc2cdcb5af77e3

SHA256
5ec545f3cccb7dddd12196320fb5144f131818170d87000cdca10fe9fb0353d4

SHA512
1a7bf9da69cd189c15d33c0a7114670c0a0c5b76cf6f8cece60c33cac7b32cb7d22d13a989d19f61eebead584429d3ed9afdd8a222959b24ee31abc62353d48d

Download Submit
memory/2308-8-0x0000000002620000-0x0000000005620000-memory.dmp

Filesize
48.0MB

Download
memory/2308-12-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/2480-29-0x0000000002510000-0x0000000005510000-memory.dmp

Filesize
48.0MB

Download
memory/2480-31-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2480-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2480-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2480-80-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2480-82-0x0000000002510000-0x0000000005510000-memory.dmp

Filesize
48.0MB

Download
memory/2480-92-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads