vjw0rm | ce199d986d0d04279edd245f3a0fe115c7c680a214d73feed8a8451b7b7feb94

General

Target

f8f5bed73850632ff591989c5b88f9ee_JaffaCakes118.js
Size

200KB
MD5

f8f5bed73850632ff591989c5b88f9ee
SHA1

ce9066586bf44f0e77243ebdd6d2ce109cf7bd7a
SHA256

ce199d986d0d04279edd245f3a0fe115c7c680a214d73feed8a8451b7b7feb94
SHA512

72be43f9ce219a02fc9ee7395867e91f9b175fffa3cf6c69800d5a8ab3e7617bf22e56fa5d1506bfc5b81d303f86c4be278debaad472e7a7bd41e10a0b31a9a9
SSDEEP

3072:Udaf0RYaop8OBm/wUvHd9ucLxPfhpDO2r63V1r7Dfi8oUuEF8nc:DKotBkzCc9nLA3V1HTBuEYc

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\paCczCKasj.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\paCczCKasj.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1760 icacls.exe

pid	process
1760	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\paCczCKasj.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 3460 wrote to memory of 1208	3460	wscript.exe	WScript.exe
PID 3460 wrote to memory of 1208	3460	wscript.exe	WScript.exe
PID 3460 wrote to memory of 4332	3460	wscript.exe	javaw.exe
PID 3460 wrote to memory of 4332	3460	wscript.exe	javaw.exe
PID 4332 wrote to memory of 1760	4332	javaw.exe	icacls.exe
PID 4332 wrote to memory of 1760	4332	javaw.exe	icacls.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\f8f5bed73850632ff591989c5b88f9ee_JaffaCakes118.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\paCczCKasj.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1208
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jjdtcctgms.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ef60c1f37208c61f0faa45ed9cc1f04f

SHA1
31d2e2696467956a22106282a39072858c0b3820

SHA256
a65871bd2c1f402029639696740863df725beade3ac74ada5a019530828293c5

SHA512
557f155cfe7e6883777f5ac816058538dd1fcd13623e58b50011d88a36b8b5ca381e5b0bc0ae81f42b25b14d2c6262add1af6d5108f0f1c9faf29c08269c43c4

Download Submit
C:\Users\Admin\AppData\Roaming\jjdtcctgms.txt

Filesize
92KB

MD5
d586663f3ff01f6ccddc890a9013aad6

SHA1
4ed9f24d7eeda73c96fef0128d991cfab005e0f8

SHA256
a32832b7da66a6c36a28bc5f2d49b70a555980032d4d0f823cf514089e226b59

SHA512
a1b8c0336ee6c8323329ba1c4a892943e238c1dbad15d78bdf5ae4fc089b397c4dce4770dfe03752cddf52819b62106cbb1a960ebaa0c4125df01a42846ebb98

Download Submit
C:\Users\Admin\AppData\Roaming\paCczCKasj.js

Filesize
9KB

MD5
73cccf2fad42bfd86b4a218c256e3fd7

SHA1
f3ff6f9f588f7f8a725e258e984e128f580f28ea

SHA256
495768f61cf6a338ca8e50e5f453a4ce6af19fd5881b3e848cb7741564c8ca57

SHA512
9b86af50aeb1ede45103318d51e55c97c90b4a9aec33e916824c910965f2abb777f8a4d805ad44e4bd4ff92503b7c2f054b7c3b368e26af901a10c48160d9cc5

Download Submit
memory/4332-60-0x0000024D49340000-0x0000024D49341000-memory.dmp

Filesize
4KB

Download
memory/4332-88-0x0000024D49340000-0x0000024D49341000-memory.dmp

Filesize
4KB

Download
memory/4332-25-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-36-0x0000024D49340000-0x0000024D49341000-memory.dmp

Filesize
4KB

Download
memory/4332-37-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-45-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-50-0x0000024D49340000-0x0000024D49341000-memory.dmp

Filesize
4KB

Download
memory/4332-56-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-59-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-10-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-85-0x0000024D49340000-0x0000024D49341000-memory.dmp

Filesize
4KB

Download
memory/4332-18-0x0000024D49340000-0x0000024D49341000-memory.dmp

Filesize
4KB

Download
memory/4332-117-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-124-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-128-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-129-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-130-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-131-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-132-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-133-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download
memory/4332-137-0x0000024D4AC40000-0x0000024D4BC40000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads