vjw0rm | 872339e661e1a90638d6981b8b09d56cccebdfdfad0fabb2c5100f4c05bccce7

General

Target

f924ea1d9a529af64d57c5daa6f55bab_JaffaCakes118.js
Size

205KB
MD5

f924ea1d9a529af64d57c5daa6f55bab
SHA1

e39ec476abb7acce4e713f15fb121ceed72b12c2
SHA256

872339e661e1a90638d6981b8b09d56cccebdfdfad0fabb2c5100f4c05bccce7
SHA512

3d59266b9bbfa01dd4c694faa42f53d8c87eae2698cfdfdd941eaa6cfaeeb2383c0fdf4deb32f4c0ecaf8ffa671737ee7d6acbd186ef8ee3c0ef85e79719140c
SSDEEP

6144:tU5lqJ5dGjL4i86p4hLznblMs57Rn+eiX:+Ed4E5bh/RXC

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LQlAlqxPqv.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LQlAlqxPqv.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4660 icacls.exe

pid	process
4660	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\LQlAlqxPqv.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 5112 wrote to memory of 1508	5112	wscript.exe	WScript.exe
PID 5112 wrote to memory of 1508	5112	wscript.exe	WScript.exe
PID 5112 wrote to memory of 1468	5112	wscript.exe	javaw.exe
PID 5112 wrote to memory of 1468	5112	wscript.exe	javaw.exe
PID 1468 wrote to memory of 4660	1468	javaw.exe	icacls.exe
PID 1468 wrote to memory of 4660	1468	javaw.exe	icacls.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\f924ea1d9a529af64d57c5daa6f55bab_JaffaCakes118.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\LQlAlqxPqv.js"
2⤵
- Drops startup file
- Adds Run key to start application
PID:1508

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jeoqbmkh.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=4112,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:1
1⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5596,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:1
1⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5524,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:1
1⤵
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
c660f2d08428c1e8d71e82031c4f69ef

SHA1
b4ca78328dec4e22a35168d5de559e1b4fec71c5

SHA256
7e8cd4379a5ac5488f77aa9d11745811387b50c1d62b88d69a2b704ae8bcd943

SHA512
c55212beaee8f1c6465e3a7fd979526591652ca12b7d05dfdee25481e3a9df091ca9f805e3b4b36dfcaf3d1d9ac083c2d40bf91a1e73d2c97e3caec395a73584

Download Submit
C:\Users\Admin\AppData\Roaming\LQlAlqxPqv.js
Filesize
10KB

MD5
60b4571a8ea0c638af1345fc7a0a3c83

SHA1
982907d9eb4134ff8f49c9b77006c26b71275a2e

SHA256
548dd0948082a5cf5bbb25c171cc0f49b59bcad7b89b5c450e5818292e500711

SHA512
e1110e8478db3a2fe1f4db2b2941fa5684cb0f52cce314a1d365b5ae21fee40ef6f6ae4aa390e461b59f594612dcb0038c47da457cbb9dad6bf6ffa7448e423b

Download Submit
C:\Users\Admin\AppData\Roaming\jeoqbmkh.txt
Filesize
92KB

MD5
2e458a59025b390fbdf7d3717314b507

SHA1
d5a84f501bfa81682ebde5e31a68794140141785

SHA256
6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b

SHA512
2b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22

Download Submit
memory/1468-56-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-64-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-22-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-26-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-39-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-44-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-54-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-15-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-63-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-19-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-66-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-85-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-86-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-87-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-91-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-93-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-99-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-105-0x0000024EB7510000-0x0000024EB7511000-memory.dmp

Filesize
4KB

Download
memory/1468-117-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1468-118-0x0000024EB8DC0000-0x0000024EB9DC0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads