vjw0rm | 56ca8f9b8ac1cb7dab8123ba8b84a067e05527f75ffbe18046b1f12c0ac4db2c

General

Target

d92e4d601fad56e8750ea73e8b0e53d9.jar
Size

621KB
MD5

d92e4d601fad56e8750ea73e8b0e53d9
SHA1

6170d6d322c7b46268d153030b966785217ed982
SHA256

56ca8f9b8ac1cb7dab8123ba8b84a067e05527f75ffbe18046b1f12c0ac4db2c
SHA512

ef513f88c03031f147599463f4a0cb3e530a01d29db439b542e5c03c4cc35bbbe79bd90c54f5604033cbd8044bcca0d279888c0d37f3cdb1d2c78292ba2c30c5
SSDEEP

12288:PpHLHFPoyVTEmJyQH2hXj3v90mju+hrHD9oZ2VzGejfENmCuJJWkBxM0:9LHFPhdEmJzH2llFvhrHGZwnFqSxJ

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HXpBUBTtZF.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HXpBUBTtZF.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\HXpBUBTtZF.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

java.exewscript.exejavaw.exe

description	pid	process	target process
PID 2744 wrote to memory of 2764	2744	java.exe	wscript.exe
PID 2744 wrote to memory of 2764	2744	java.exe	wscript.exe
PID 2744 wrote to memory of 2764	2744	java.exe	wscript.exe
PID 2764 wrote to memory of 2472	2764	wscript.exe	WScript.exe
PID 2764 wrote to memory of 2472	2764	wscript.exe	WScript.exe
PID 2764 wrote to memory of 2472	2764	wscript.exe	WScript.exe
PID 2764 wrote to memory of 1984	2764	wscript.exe	javaw.exe
PID 2764 wrote to memory of 1984	2764	wscript.exe	javaw.exe
PID 2764 wrote to memory of 1984	2764	wscript.exe	javaw.exe
PID 1984 wrote to memory of 268	1984	javaw.exe	java.exe
PID 1984 wrote to memory of 268	1984	javaw.exe	java.exe
PID 1984 wrote to memory of 268	1984	javaw.exe	java.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\d92e4d601fad56e8750ea73e8b0e53d9.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\gbystgqcic.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2472
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zoyeadgvpc.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.94155529506905817629921464110201473.class
      4⤵
      PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.94155529506905817629921464110201473.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js

Filesize
11KB

MD5
150efb51ec05bc4a9bbb525397f5f741

SHA1
be85f05d5a074fa98232cf993fc6f5a7dac9f880

SHA256
b97357a2422085a44feea1491f88a44e3a9080cef0330a70b6d9cc0f0ed3cd19

SHA512
e45f7012eb013e53b9a49e239bf7c07a81a08587501674fdb0e6f048edfa904b01138da374ce51b131f1bda952761cc64e317fe453e76d8cf099868a4ad301e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-778096762-2241304387-192235952-1000\83aa4cc77f591dfc2374580bbd95f6ba_e942923e-bba7-4713-9a9e-94ded71626f5

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\zoyeadgvpc.txt

Filesize
473KB

MD5
ca4cf45e9499c04f77d54212bb0805c0

SHA1
296688e7207ddbdd7f0e5096ae9c1993b5ff130b

SHA256
f8255759c5da02e9b0de11ea93f90f14fc34bb8cd839ff7c4a53a86438b11344

SHA512
90075be1e95bacdb020504304b79cc1e2fca3eadcffd87d00c16d95ce93922e3b1835b93d0f91874dcfb3dd17b8dafad65c3a258bd95a0e05a237cd4f1691d0b

Download Submit
C:\Users\Admin\gbystgqcic.js

Filesize
905KB

MD5
b66fe74731233f91d26f03d3ac6c0fe3

SHA1
450a3eb0ec332e643658bc6a8a5a94fb4b0f41b9

SHA256
877d4d148ddd634c30c781a9da721cec54f83c1cec9ff7995f94ad100c2aedd8

SHA512
c63c7eba2692232e4f8a84f2a6945adcf24187ff3d9ec8f7be29e51b3c2ff3c710b3d2cc6604434c2a6359801301e6fb5fb0f33b0fe1848d1c7d73bdc6f019c5

Download Submit
memory/268-46-0x0000000002260000-0x0000000005260000-memory.dmp

Filesize
48.0MB

Download
memory/268-48-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1984-34-0x0000000002120000-0x0000000005120000-memory.dmp

Filesize
48.0MB

Download
memory/1984-40-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1984-49-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1984-54-0x0000000002120000-0x0000000005120000-memory.dmp

Filesize
48.0MB

Download
memory/2744-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2744-8-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download
memory/2744-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads