Overview

overview

10

Static

static

1

Order550232.jar

windows7-x64

10

Order550232.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order550232.jar

  • Size

    129KB

  • MD5

    c91d4750382881ff7da852e22a6f2419

  • SHA1

    b916255dfadf02871d0a84083e989df52396e75b

  • SHA256

    12eac35e31b525e6257a42f809868ad6203e9ed8c8b07b487a46cfa0ba5ed4d3

  • SHA512

    e897cd5a0b05e557d83aa3c3678dcd565cd53737b8d05fe46515e56b7ff229d218c1cc908c57d1dcbf4b5fdd7295d2a44deaff81c76c91c4f7ff1db201266244

  • SSDEEP

    3072:jo1lDnmPMoEu8S5IL47n3RervM8+gjkztlabpOex5ruXIbCuo:wKPMoCS5gm3UryusGOexWuo

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Order550232.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:2004
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\euvrrnhkej.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dqTlpEOTrV.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        PID:2112
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vgnxmgugrs.txt"
        3⤵
        • Drops file in Program Files directory
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    e3a5409871ae5715650be9a390b97337

    SHA1

    b2692d4cdaa5edbb9e7d10b2b6c108d543f18d06

    SHA256

    2778a42795b1fb5c50a6877e930e9d9662d35c84079a8b0c7ed3b903372fb399

    SHA512

    54d0e8182c6c261b95dbcb48bf61ce58dadeeb95c840846f7ca6a33c68c49259de404eee49cbb36f6ffc2251713810d7fc6b3f8b960b3f358e445b21a589a75c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dqTlpEOTrV.js
    Filesize

    11KB

    MD5

    3a463dc3f1ccbb255564f73dccca622e

    SHA1

    ab4a88d983c371128c73699cac7e308ca7870f7b

    SHA256

    18c2e58bfb5e035d4c1e4d2ba4e506c8041c739ec32ec9ce80ba00adc4dbd550

    SHA512

    d7a4fdb65d1b5ff1616489e7b893ebab3f1e160c99007a43fc73ada3ec53cc9ddae4c3a6acb6e2852b239de336253064fd838d3f843c09e2ab952dce8e8e2cbe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vgnxmgugrs.txt
    Filesize

    92KB

    MD5

    2ed25df72bd13cca5979c53b8fe7e529

    SHA1

    82b9c61b60f966e1ff77374b7aea67334ae98ef1

    SHA256

    81473eced4690bb6172d677771924cd4a0542c74f00dae2b3493cbebc6b1549c

    SHA512

    3086609e10bb6504ac26fb573874ade44ec446e19ac7d1e059f108dbaf31271617a10addabed41997e400bc885d07ef713054ef2d2246748809740a64c7e90f6

    Download Submit

  • C:\Users\Admin\euvrrnhkej.js
    Filesize

    205KB

    MD5

    d5fe40e5e35ebbc1a60c54672f775325

    SHA1

    9b01278c620351932e98e95db9881f18652f7e67

    SHA256

    a40e1a0e0a1e68051cefc29955d92d99efa3d24a8d70052de8aa9e4ab08da32b

    SHA512

    2ade53d5a1d303328af40acf3f1d231fc54a8b3eb0d1e934094a7b7c63e5035c679e7ce89465e0ea4ea796e7f5f991c1da760cb64ad4b15b8d9130272e6d617c

    Download Submit

  • memory/768-4-0x000001F36FDD0000-0x000001F370DD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/768-14-0x000001F36E570000-0x000001F36E571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-26-0x000001E980000000-0x000001E981000000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1152-34-0x000001E9F9BC0000-0x000001E9F9BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-39-0x000001E980000000-0x000001E981000000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1152-41-0x000001E980280000-0x000001E980290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1152-42-0x000001E980290000-0x000001E9802A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1152-43-0x000001E980000000-0x000001E981000000-memory.dmp

    Filesize

    16.0MB

    Download