vjw0rm | 2013959396545e0d1c1a0c178544a778764ff12c4fba9a6637835a202cce979b

General

Target

bd402a7b48f2b162736f4848c329792c.jar
Size

147KB
MD5

bd402a7b48f2b162736f4848c329792c
SHA1

fc17278dbfe1e9d65a3b8f2cb8a972017eaf1cc6
SHA256

2013959396545e0d1c1a0c178544a778764ff12c4fba9a6637835a202cce979b
SHA512

af6d380d7c3cc1540b9aa9c1bf070178f4120b78f6c571e67b43af1a4cd6199c139a2dd7890b03920cc8cfcfa5c2f56f627b553f0cb09ae71ca495bd73cf7ccc
SSDEEP

3072:vAnBzB/sfK4/mNwKEoZ/4+TK8tA3uQr+22kj5Duor+rS:oB6K4mSKZC39r+6Duor+G

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TgoIKOyHRJ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TgoIKOyHRJ.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3400	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\TgoIKOyHRJ.js\""	WScript.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 3400	4064	java.exe	98
PID 4064 wrote to memory of 3400	4064	java.exe	98
PID 4064 wrote to memory of 3640	4064	java.exe	102
PID 4064 wrote to memory of 3640	4064	java.exe	102
PID 3640 wrote to memory of 1004	3640	wscript.exe	103
PID 3640 wrote to memory of 1004	3640	wscript.exe	103
PID 3640 wrote to memory of 3924	3640	wscript.exe	104
PID 3640 wrote to memory of 3924	3640	wscript.exe	104

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\bd402a7b48f2b162736f4848c329792c.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3400
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TgoIKOyHRJ.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:1004
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xuldikdg.txt"
    3⤵
    - Drops file in Program Files directory
    PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
cc2931779e4b087b714647a9561aa7c2

SHA1
60ec2f850803dfb9e0bc0e4a516e96528fbcf2c6

SHA256
f943d85a2d801d7fbdd564110e342d1b0e1a61b9f666b22fe9e78400e931fab0

SHA512
efe2b5f0cbb5792bbbc04e1d871e0baa1af0dbecbdcef1d0317190cdc8aa7b239fecad74b9f7fa779c2cc7166f8ef7cc2dcf18e0eeafccf5ba3f22d9b08faaca

Download Submit
C:\Users\Admin\AppData\Roaming\TgoIKOyHRJ.js

Filesize
9KB

MD5
0aaca684c1da87000ded508128434e5b

SHA1
30e1080049ec19161920641b0d51910edb7c72dc

SHA256
c2d01245ffb256e95fdd530c1fc85da103714fe8d1996f3cea6cbf5d8e8d1b15

SHA512
979fa7dd85f09a1e7f04c5e91f79aba57268361cd0b34dc4c5113f6e56a421565e1241a1bceacf0be3a37eb2601bd8a0285ce861f31b234427f182b71c651e79

Download Submit
C:\Users\Admin\AppData\Roaming\xuldikdg.txt

Filesize
106KB

MD5
7ee83aef0f72ce7f93452b093d9b34f5

SHA1
5c68f45173190f62e953bef170f07059cb54d716

SHA256
040fe3f3bae7be7e1f180b3852016b6de34497a00e6d50b64a05aa334e74961c

SHA512
cb6237b6b1c42e1ac7ba6f7ac69cc1244a20f9e76bca712f699347cc842ec139f2ba0aacfd47f336b458c9d9c5766bed87a3b72591f8ce9dab009909aeedeae7

Download Submit
C:\Users\Admin\_output.js

Filesize
228KB

MD5
d427936b203e2429e10ac2b1e0cb1263

SHA1
85a7521899c6c1cd5fe87b54f8cade2c7e108f15

SHA256
26a3f7c55fb2661c5136308476b533f0a9081341d7fe4c4fa63f22563170eeca

SHA512
2731f349f1598f572a5dc84902db6e4d6614aed89f491374808757593b8e602a3e24c1930465d8b15b451b0b7008903cffbc02e8b67febe664507ef52b61ae05

Download Submit
memory/3924-46-0x000001EF31ED0000-0x000001EF32ED0000-memory.dmp

Filesize
16.0MB

Download
memory/3924-51-0x000001EF31ED0000-0x000001EF32ED0000-memory.dmp

Filesize
16.0MB

Download
memory/3924-26-0x000001EF31ED0000-0x000001EF32ED0000-memory.dmp

Filesize
16.0MB

Download
memory/3924-64-0x000001EF31ED0000-0x000001EF32ED0000-memory.dmp

Filesize
16.0MB

Download
memory/3924-34-0x000001EF30600000-0x000001EF30601000-memory.dmp

Filesize
4KB

Download
memory/3924-39-0x000001EF30600000-0x000001EF30601000-memory.dmp

Filesize
4KB

Download
memory/3924-63-0x000001EF321A0000-0x000001EF321B0000-memory.dmp

Filesize
64KB

Download
memory/3924-60-0x000001EF32180000-0x000001EF32190000-memory.dmp

Filesize
64KB

Download
memory/3924-55-0x000001EF30600000-0x000001EF30601000-memory.dmp

Filesize
4KB

Download
memory/3924-58-0x000001EF32150000-0x000001EF32160000-memory.dmp

Filesize
64KB

Download
memory/3924-59-0x000001EF321B0000-0x000001EF321C0000-memory.dmp

Filesize
64KB

Download
memory/3924-61-0x000001EF31ED0000-0x000001EF32ED0000-memory.dmp

Filesize
16.0MB

Download
memory/3924-62-0x000001EF32190000-0x000001EF321A0000-memory.dmp

Filesize
64KB

Download
memory/4064-15-0x00000257605B0000-0x00000257605B1000-memory.dmp

Filesize
4KB

Download
memory/4064-2-0x00000257605D0000-0x00000257615D0000-memory.dmp

Filesize
16.0MB

Download
memory/4064-11-0x00000257605B0000-0x00000257605B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads