vjw0rm | 04794d83a3b53d9d2267376f061e61b970545ca95a7d0d5f863f5f08d2a8484e

Analysis

max time kernel
3s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

njmyettnik.js
Size

1.7MB
MD5

54c3af244b903c34bc75114d6c646a7c
SHA1

ab8361b65b43961d09f26bf9e30ecda857d63038
SHA256

04794d83a3b53d9d2267376f061e61b970545ca95a7d0d5f863f5f08d2a8484e
SHA512

faf6e88481e052a2a3b0814a250746b0dd36ba41b7cf766a5308535c5f6ae0042447a769737bce0b0ef0542631bdd8d5381712f9f9622100867620b49cbbe8d6
SSDEEP

24576:PcX5jU8K3wU/qkyvKTmTWRTJ2OSy1LJx2DJpp6UY8X9UogttxldmtdAMPkIJxe3L:Px7tZHfY7AHk+

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\0IDR124VF6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\IyFfaseYOW.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\zqndefamk.txt\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3028 schtasks.exe

pid	process
3028	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wscript.exeWScript.exeWScript.exe

description	pid	process	target process
PID 612 wrote to memory of 1296	612	wscript.exe	WScript.exe
PID 612 wrote to memory of 1296	612	wscript.exe	WScript.exe
PID 612 wrote to memory of 1296	612	wscript.exe	WScript.exe
PID 1296 wrote to memory of 1292	1296	WScript.exe	WScript.exe
PID 1296 wrote to memory of 1292	1296	WScript.exe	WScript.exe
PID 1296 wrote to memory of 1292	1296	WScript.exe	WScript.exe
PID 1296 wrote to memory of 524	1296	WScript.exe	javaw.exe
PID 1296 wrote to memory of 524	1296	WScript.exe	javaw.exe
PID 1296 wrote to memory of 524	1296	WScript.exe	javaw.exe
PID 1292 wrote to memory of 3028	1292	WScript.exe	schtasks.exe
PID 1292 wrote to memory of 3028	1292	WScript.exe	schtasks.exe
PID 1292 wrote to memory of 3028	1292	WScript.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\njmyettnik.js
1⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pRiTJcKows.js"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js
4⤵
- Creates scheduled task(s)
PID:3028

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zqndefamk.txt"
3⤵
PID:524

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw" -jar "C:\Users\Admin\AppData\RoamingServer348179690.jar"
4⤵
PID:2868

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\snushy.txt"
2⤵
PID:2416

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.66960703770555865669117145624305093.class
3⤵
PID:2964

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2533724943117367854.vbs
3⤵
PID:2684

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2533724943117367854.vbs
4⤵
PID:2796

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5495715593952342573.vbs
3⤵
PID:788

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5495715593952342573.vbs
4⤵
PID:1348

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
3⤵
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive2533724943117367854.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5495715593952342573.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.66960703770555865669117145624305093.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\RoamingServer348179690.jar
Filesize
130KB

MD5
94744b9845e5f391cca7260098bbe1a2

SHA1
f297391b564b68d07739a1f9723e915777abc279

SHA256
171c05a83078824f27b9cb3ab2b152579edfefaea4c1dea5e690a5367c0e67d3

SHA512
d0d84b46cd586f3a020bf00ee2dedd8c33887337de6eac0c1936ad74c7b2c33343653d91067e4916a55def3d06b5b586cb5b1be38959963cad8c6632571b9168

Download Submit
C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js
Filesize
18KB

MD5
9ad074e4b977d42b16bea24a940ffd32

SHA1
38b9ca30670d8dd3f6b25ebda0d7a8256642b379

SHA256
077d7fe9434715f0c9e979bc4b9d347a3d07a3cbec8be282dc0f9c2d0c52bba1

SHA512
6c2a7f01bb37776c68eab8f2535c0e9901f7c4f72af9a503d09b8fd6a909a30fd8632d183f472b8de26c0ce4c0eb736e0e16381be933b4c21e47614542cde2eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\83aa4cc77f591dfc2374580bbd95f6ba_4456596e-0528-4680-8940-5edc26c0ff50
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Users\Admin\AppData\Roaming\pRiTJcKows.js
Filesize
432KB

MD5
034c080d4ba7e16b021e22a8d0dedf24

SHA1
da13f8f5b9913b5b6640b76810da6a04bef4f981

SHA256
f2d6b3e1d4aa68c00b02c86d480467397632b6dea31c46fc65c511b6c6e09976

SHA512
d1190857df51d350954c1011c49adc3839db447c1027026019e3d8b8ac3be54f5c4207240ddadbcb95ed5d0ab066cfa371cd691833034babbb243dc75a7ed556

Download Submit
C:\Users\Admin\AppData\Roaming\snushy.txt
Filesize
473KB

MD5
b6406389aefbf2586dc5366ca89dac5e

SHA1
51cfa13bd26f81bb09cd72f60a4a7726c54b4da1

SHA256
cb1eaa5ccbcfed884e6376661f724e0c0c1261ea6da751812e49b9ea2169f860

SHA512
ffa2dc94918bc6b54f704e660cc558b0269f871a2ca1bb74b43fd2648796207fbf014468e7c1c5d2c2c757b6be3ddaecd9c117a7edb6338933470db5e132c8f6

Download Submit
C:\Users\Admin\AppData\Roaming\zqndefamk.txt
Filesize
146KB

MD5
37b1429e7e0671bd1a61e99dd86cff71

SHA1
5b5f0c6bf438775a6d9966013dead771138e03e6

SHA256
f5b8ca4d2d55cd0fbd08ac098fc5ebf2f588881976605c91b50433e4cf4c5ccb

SHA512
2b30b03922086e6da383fadfc2e2e1ee529eced47d9a1a3763948b22cd312dd65d56c60e01c97e8fd4e6eb9b82c6a02342868e3c4057809cac8adb95ed4069c7

Download Submit
memory/524-15-0x00000000023A0000-0x00000000053A0000-memory.dmp

Filesize
48.0MB

Download
memory/524-24-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/524-190-0x00000000023A0000-0x00000000053A0000-memory.dmp

Filesize
48.0MB

Download
memory/2416-117-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2416-123-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2416-83-0x00000000022B0000-0x00000000052B0000-memory.dmp

Filesize
48.0MB

Download
memory/2416-84-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2868-28-0x0000000002330000-0x0000000005330000-memory.dmp

Filesize
48.0MB

Download
memory/2868-65-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2868-66-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2868-41-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2868-40-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2868-39-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2868-385-0x0000000002330000-0x0000000005330000-memory.dmp

Filesize
48.0MB

Download
memory/2868-36-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2964-118-0x0000000002330000-0x0000000005330000-memory.dmp

Filesize
48.0MB

Download