Overview

overview

10

Static

static

1

d92e4d601f...d9.jar

windows7-x64

10

d92e4d601f...d9.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d92e4d601fad56e8750ea73e8b0e53d9.jar

  • Size

    621KB

  • MD5

    d92e4d601fad56e8750ea73e8b0e53d9

  • SHA1

    6170d6d322c7b46268d153030b966785217ed982

  • SHA256

    56ca8f9b8ac1cb7dab8123ba8b84a067e05527f75ffbe18046b1f12c0ac4db2c

  • SHA512

    ef513f88c03031f147599463f4a0cb3e530a01d29db439b542e5c03c4cc35bbbe79bd90c54f5604033cbd8044bcca0d279888c0d37f3cdb1d2c78292ba2c30c5

  • SSDEEP

    12288:PpHLHFPoyVTEmJyQH2hXj3v90mju+hrHD9oZ2VzGejfENmCuJJWkBxM0:9LHFPhdEmJzH2llFvhrHGZwnFqSxJ

Score
10/10
vjw0rmdiscoverypersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\d92e4d601fad56e8750ea73e8b0e53d9.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:2016
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\gbystgqcic.js
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        PID:2500
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qboasqjo.txt"
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Program Files\Java\jre-1.8\bin\java.exe
          "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.105551579451586221569121857187342560.class
          4⤵
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          PID:1844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    f922a10659067e061df2db53b93a7cb0

    SHA1

    e8aa99f30e248730e8a0ffb4a1accec1bb88a349

    SHA256

    3e7abfde9af501d2145da5bf53c6702bbbe0dd8f6313ae846abfb23976737f7a

    SHA512

    007544d4e436e9fc5e31a68660bf650ca088f44d90ba6c3d6a4aeb8f33a7ea6f61f017a1b574032adfe603dddeabe46939b5673f01cf5f8738b451896e2f2b44

    Download Submit

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    b76ef443d0f75d94468e98a9d0d082e4

    SHA1

    f5724fa1ca1aba83ee0d35166020ac28041d2721

    SHA256

    f81fba2008f6aa97f95ed6ea7891b269d0302b9b5e4c30eea10a82095e7760c1

    SHA512

    3ab559518049f6e21a84c8044b2a578ab86b212ec7ac5241b4e1580954e0aaa5aa51c919b7f83cd8c51d6bc0fa40caae80bf7d54c730be09b99702ef1a42efb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_0.105551579451586221569121857187342560.class
    Filesize

    241KB

    MD5

    781fb531354d6f291f1ccab48da6d39f

    SHA1

    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

    SHA256

    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

    SHA512

    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HXpBUBTtZF.js
    Filesize

    11KB

    MD5

    150efb51ec05bc4a9bbb525397f5f741

    SHA1

    be85f05d5a074fa98232cf993fc6f5a7dac9f880

    SHA256

    b97357a2422085a44feea1491f88a44e3a9080cef0330a70b6d9cc0f0ed3cd19

    SHA512

    e45f7012eb013e53b9a49e239bf7c07a81a08587501674fdb0e6f048edfa904b01138da374ce51b131f1bda952761cc64e317fe453e76d8cf099868a4ad301e5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3045580317-3728985860-206385570-1000\83aa4cc77f591dfc2374580bbd95f6ba_2d983147-f9f1-498d-be7e-1997eada874a
    Filesize

    45B

    MD5

    c8366ae350e7019aefc9d1e6e6a498c6

    SHA1

    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

    SHA256

    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

    SHA512

    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qboasqjo.txt
    Filesize

    473KB

    MD5

    ca4cf45e9499c04f77d54212bb0805c0

    SHA1

    296688e7207ddbdd7f0e5096ae9c1993b5ff130b

    SHA256

    f8255759c5da02e9b0de11ea93f90f14fc34bb8cd839ff7c4a53a86438b11344

    SHA512

    90075be1e95bacdb020504304b79cc1e2fca3eadcffd87d00c16d95ce93922e3b1835b93d0f91874dcfb3dd17b8dafad65c3a258bd95a0e05a237cd4f1691d0b

    Download Submit

  • C:\Users\Admin\gbystgqcic.js
    Filesize

    905KB

    MD5

    b66fe74731233f91d26f03d3ac6c0fe3

    SHA1

    450a3eb0ec332e643658bc6a8a5a94fb4b0f41b9

    SHA256

    877d4d148ddd634c30c781a9da721cec54f83c1cec9ff7995f94ad100c2aedd8

    SHA512

    c63c7eba2692232e4f8a84f2a6945adcf24187ff3d9ec8f7be29e51b3c2ff3c710b3d2cc6604434c2a6359801301e6fb5fb0f33b0fe1848d1c7d73bdc6f019c5

    Download Submit

  • memory/1164-75-0x000002441D8D0000-0x000002441D8E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1164-81-0x000002441D920000-0x000002441D930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1164-143-0x000002441D660000-0x000002441E660000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1164-32-0x000002441D660000-0x000002441E660000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1164-86-0x000002441D660000-0x000002441E660000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1164-58-0x000002441BFE0000-0x000002441BFE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-82-0x000002441D940000-0x000002441D950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1164-66-0x000002441D660000-0x000002441E660000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1164-34-0x000002441BFE0000-0x000002441BFE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-79-0x000002441D910000-0x000002441D920000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1164-76-0x000002441D900000-0x000002441D910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1164-77-0x000002441D8F0000-0x000002441D900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1844-98-0x0000018285260000-0x0000018285261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-103-0x0000018285280000-0x0000018286280000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1844-59-0x0000018285260000-0x0000018285261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-54-0x0000018285260000-0x0000018285261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-91-0x0000018285280000-0x0000018286280000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1844-94-0x0000018285260000-0x0000018285261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-49-0x0000018285280000-0x0000018286280000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1844-142-0x0000018285280000-0x0000018286280000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1844-123-0x0000018285280000-0x0000018286280000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1844-115-0x0000018285280000-0x0000018286280000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1844-99-0x0000018285260000-0x0000018285261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-141-0x0000018285590000-0x00000182855A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4016-7-0x0000018FC2840000-0x0000018FC3840000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4016-14-0x0000018FC0FB0000-0x0000018FC0FB1000-memory.dmp

    Filesize

    4KB

    Download