Overview

overview

10

Static

static

1

b63a2f41ef...6d.jar

windows7-x64

10

b63a2f41ef...6d.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b63a2f41efeaf76634460ebf1b32226d.jar

  • Size

    125KB

  • MD5

    b63a2f41efeaf76634460ebf1b32226d

  • SHA1

    a45e1e55cc9aef31f2d9a60a11693e2d5d172fbe

  • SHA256

    e69e8751b597257f5e4f6a3fe1fdfa0ef273d8c6c6a7b1e620e392aee0cc64e4

  • SHA512

    4b5ad11c67e8ca623c4e38b6fef15ce262ad5f2b4319aac2b4df57504c067b5b8240e9490ef686d0c2c40e2b9185b6ef1551e84bba2c6b58766e752860931faa

  • SSDEEP

    3072:rGMG3YXiOSXwVB8iJjzVhZnX3R+lIL+TqQN7JmhPxd8w:rGIio8M7xXIlLTqa7ohPv8w

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\b63a2f41efeaf76634460ebf1b32226d.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:4368
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\usdbfroxqt.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tKaUarDZDG.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        PID:2028
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fqjwwfxgmt.txt"
        3⤵
          PID:3500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      46B

      MD5

      edb2b9dec2de38c611b70b2e27aa21e4

      SHA1

      c7349e9f5374eb7fdb3d370d1a88b4b61014a275

      SHA256

      20c88de33ed500605813ccfda620359d8e797c274cc2574c964163f4bf64c622

      SHA512

      c2e2c1c98351db43730b261d63d191584a21a25ab48c6c40173c03893edcea95d9aadca72c3ac38afd37b186e21d704dfbf71dcd1b100b16a0c523a175d0f5b1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\fqjwwfxgmt.txt
      Filesize

      92KB

      MD5

      e960b9b8954afa303d7989eed1290637

      SHA1

      a42410c56fb024243014c29334152c209ab88873

      SHA256

      4439ce946a74288bc91360bee4b7ef43e7efeced81432ba10728220c323d7c7f

      SHA512

      cdb3f0e2911f1841919847903c6f6bd695e3f15106c1a5b7fa19b70e549967beefa7c32c87a1a2040bbc2b7a75b1a90adc7a7e113f519e15b09f62dc0ea473c8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tKaUarDZDG.js
      Filesize

      5KB

      MD5

      1f7a1f50ddcaacd7c16098f452ae3ea9

      SHA1

      c31e3feb895e9b69db5e014cc42a2b3e03473016

      SHA256

      f14d01dc44ad040b5c3a8b418aa4c27bc476f0c5bd7af5e1554547fe0f6bb2ef

      SHA512

      6835fe9faac663378a6bd96e4dcba1f492d4dc488d410e019a965ca3c989c0d66d39f71b213a579c0e55fa4e52deb542b64c9b68108763af6ffed89414867271

      Download Submit

    • C:\Users\Admin\usdbfroxqt.js
      Filesize

      124KB

      MD5

      6330f419fd4ad2cda24d47be23c79b95

      SHA1

      afd52d54e8799275e98047cedce5bbaefc771a52

      SHA256

      b3a16ca2e73912696de6a5308ca1b22b981369761df947f4641212d783450418

      SHA512

      1d13d797e47916484a1a5dd8376bd9ac83e9dccca91636038059c64c3e214275c232721f0b146152800f5f49bdd5c9e3d907f2dc813e489153b2f6c57cecbf10

      Download Submit

    • memory/1988-3-0x000001F4B8360000-0x000001F4B9360000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1988-14-0x000001F4B6940000-0x000001F4B6941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-60-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-72-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-39-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-42-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-51-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-50-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-30-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-65-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-67-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-33-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-74-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-76-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-103-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-107-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-119-0x0000022230EB0000-0x0000022230EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-126-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-130-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-134-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-138-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3500-141-0x00000222326A0000-0x00000222336A0000-memory.dmp

      Filesize

      16.0MB

      Download