vjw0rm | ae33e9f2e18d4fdd25db5bc30b8b8bdd63b53794e225dbe818ebe65a29b0dc95

General

Target

d82b9d7af67f2ade0c11bfe6bfd69544.jar
Size

129KB
MD5

d82b9d7af67f2ade0c11bfe6bfd69544
SHA1

051c9770aebcc850ae09baa6a223848a7aa3f289
SHA256

ae33e9f2e18d4fdd25db5bc30b8b8bdd63b53794e225dbe818ebe65a29b0dc95
SHA512

fbfc1943e95be1d5c9a536e2aa9267b188eb81e9c9445074c2b69d01f7d092c0d1590e15c8579da0c6ab1ba97e1767cd5a2984a1eb6e08611df3fec5764dc555
SSDEEP

3072:PdaZuzVCyUNstfAQyHuAYWgPNr6K5V3I/Iy7+itIlhGDbmC:PNIsNyH/LgPNrPH4/I7jhGDb

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DGjEIUIodz.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DGjEIUIodz.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\DGjEIUIodz.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2584	1008	java.exe	29
PID 1008 wrote to memory of 2584	1008	java.exe	29
PID 1008 wrote to memory of 2584	1008	java.exe	29
PID 2584 wrote to memory of 2892	2584	wscript.exe	30
PID 2584 wrote to memory of 2892	2584	wscript.exe	30
PID 2584 wrote to memory of 2892	2584	wscript.exe	30
PID 2584 wrote to memory of 2364	2584	wscript.exe	31
PID 2584 wrote to memory of 2364	2584	wscript.exe	31
PID 2584 wrote to memory of 2364	2584	wscript.exe	31

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\d82b9d7af67f2ade0c11bfe6bfd69544.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\exohdopokf.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DGjEIUIodz.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2892
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xdebhoim.txt"
    3⤵
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DGjEIUIodz.js

Filesize
10KB

MD5
f38989cc8aaa486a1d20937d3364715c

SHA1
33dd1be185eba1eb4a6c52182c3df3f53ca6e9a5

SHA256
e582d7660be65f8dcfc39688ea515022baaa734b5fb336e7f2a1e4e19071b4d5

SHA512
c619a61774708eb36cf96b634221dad4d72f0fc5f820866508b0540415ee436b9fcb7779795d7a8f7096f68296e41088d650134c1b67f3a77105a31f9026ed0a

Download Submit
C:\Users\Admin\AppData\Roaming\xdebhoim.txt

Filesize
92KB

MD5
af3ce0807ad734c6e6b2f35d7ddf06ad

SHA1
8b771d227019e07a077aaed04d5f1016ed37cb95

SHA256
a586c03463ca23ecb682d1505492ce375e63f3d7bd26cc12272e716a3f0016d3

SHA512
771e3d25082b3d55e10f42008d363a08756ab437f1c7880911f18d73457e5a8aa599eb6dce52c854955faded427ff17c5a37d755c70304a05eff3f0e7eeadd08

Download Submit
C:\Users\Admin\exohdopokf.js

Filesize
207KB

MD5
b8722654a1ef8fcfebf490bce2492392

SHA1
7669dfc5f9bf91b3231fe30cb052adeb60e5f749

SHA256
87d6eb8714fe79b95f2f74649cd2fef28e9d57e4c4e990d7ac0f0f6281b978f8

SHA512
2ceff57cdf708ebe9c4b3735589045730178bf9914bcebef478c5ec8fa14fcd879c71c5543c7b90faff71f70ed477f1376e070785e2d3bbe52f11397aaec1846

Download Submit
memory/1008-9-0x0000000002210000-0x0000000005210000-memory.dmp

Filesize
48.0MB

Download
memory/1008-12-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2364-40-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-30-0x0000000002080000-0x0000000005080000-memory.dmp

Filesize
48.0MB

Download
memory/2364-38-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-29-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-45-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-44-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-48-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-49-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-51-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-55-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-56-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-59-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2364-65-0x0000000002080000-0x0000000005080000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads