vjw0rm | 04794d83a3b53d9d2267376f061e61b970545ca95a7d0d5f863f5f08d2a8484e

General

Target

njmyettnik.js
Size

1.7MB
MD5

54c3af244b903c34bc75114d6c646a7c
SHA1

ab8361b65b43961d09f26bf9e30ecda857d63038
SHA256

04794d83a3b53d9d2267376f061e61b970545ca95a7d0d5f863f5f08d2a8484e
SHA512

faf6e88481e052a2a3b0814a250746b0dd36ba41b7cf766a5308535c5f6ae0042447a769737bce0b0ef0542631bdd8d5381712f9f9622100867620b49cbbe8d6
SSDEEP

24576:PcX5jU8K3wU/qkyvKTmTWRTJ2OSy1LJx2DJpp6UY8X9UogttxldmtdAMPkIJxe3L:Px7tZHfY7AHk+

Score

10^/10

vjw0rm discovery persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2272 icacls.exe

pid	process
2272	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exeWScript.exeWScript.exejavaw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\vkjqdkkhze.txt\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\oyisitjl.txt\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0IDR124VF6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\IyFfaseYOW.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw -jar \"C:\\Users\\Admin\\AppData\\RoamingServer1473725423.jar\""	javaw.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2564 schtasks.exe

pid	process
2564	schtasks.exe

Modifies registry class 2 IoCs

Processes:

wscript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

2356 javaw.exe

pid	process
2356	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

wscript.exeWScript.exejavaw.exeWScript.exejavaw.exe

description	pid	process	target process
PID 4712 wrote to memory of 1244	4712	wscript.exe	WScript.exe
PID 4712 wrote to memory of 1244	4712	wscript.exe	WScript.exe
PID 1244 wrote to memory of 1732	1244	WScript.exe	WScript.exe
PID 1244 wrote to memory of 1732	1244	WScript.exe	WScript.exe
PID 1244 wrote to memory of 3860	1244	WScript.exe	javaw.exe
PID 1244 wrote to memory of 3860	1244	WScript.exe	javaw.exe
PID 3860 wrote to memory of 2272	3860	javaw.exe	icacls.exe
PID 3860 wrote to memory of 2272	3860	javaw.exe	icacls.exe
PID 1732 wrote to memory of 2564	1732	WScript.exe	schtasks.exe
PID 1732 wrote to memory of 2564	1732	WScript.exe	schtasks.exe
PID 3860 wrote to memory of 2356	3860	javaw.exe	javaw.exe
PID 3860 wrote to memory of 2356	3860	javaw.exe	javaw.exe
PID 4712 wrote to memory of 3652	4712	wscript.exe	javaw.exe
PID 4712 wrote to memory of 3652	4712	wscript.exe	javaw.exe
PID 3652 wrote to memory of 3504	3652	javaw.exe	java.exe
PID 3652 wrote to memory of 3504	3652	javaw.exe	java.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\njmyettnik.js
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pRiTJcKows.js"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js
      4⤵
      Creates scheduled task(s)
      PID:2564
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\oyisitjl.txt"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:2272
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw" -jar "C:\Users\Admin\AppData\RoamingServer1473725423.jar"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2356
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vkjqdkkhze.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.251301895981173365622919544348425134.class
    3⤵
    PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a4b244551f3a3ed58035682fce3e16b1

SHA1
96b48404c8bbba91d6b31a700653b25a11c53a6b

SHA256
fda810a8558474ebc27140d6ed19901612dcd65e300b14d5d52e2d4faa14d26e

SHA512
1110e7ad286f32c2309d916eafd27dccf0f34cc4a697bf0fa2ff94c2e4e03071a2c46e3ad0006fffcaaea2c8e48186fff469b40be03a80efd8b43bcfc55c6b3b

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
9a8f6b2864c462aab8dcf7bee07e8974

SHA1
319d6abdc0a4e5da53b4eb7ad84de87ed771c627

SHA256
1d59517e143d0b63de08b9c4ca4d3cbb7a6d229e298247cd61b715eb9c1999d0

SHA512
b3c095cc4e504b03eff1e2cbbf22fa34b045c347ec42e3a1edb85d8a72e9eb3c67998e32025e5f8adceb07fee879965d78a946f5267477898e8ccb248e15b92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.251301895981173365622919544348425134.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\RoamingServer1473725423.jar

Filesize
130KB

MD5
94744b9845e5f391cca7260098bbe1a2

SHA1
f297391b564b68d07739a1f9723e915777abc279

SHA256
171c05a83078824f27b9cb3ab2b152579edfefaea4c1dea5e690a5367c0e67d3

SHA512
d0d84b46cd586f3a020bf00ee2dedd8c33887337de6eac0c1936ad74c7b2c33343653d91067e4916a55def3d06b5b586cb5b1be38959963cad8c6632571b9168

Download Submit
C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js

Filesize
18KB

MD5
9ad074e4b977d42b16bea24a940ffd32

SHA1
38b9ca30670d8dd3f6b25ebda0d7a8256642b379

SHA256
077d7fe9434715f0c9e979bc4b9d347a3d07a3cbec8be282dc0f9c2d0c52bba1

SHA512
6c2a7f01bb37776c68eab8f2535c0e9901f7c4f72af9a503d09b8fd6a909a30fd8632d183f472b8de26c0ce4c0eb736e0e16381be933b4c21e47614542cde2eb

Download Submit
C:\Users\Admin\AppData\Roaming\oyisitjl.txt

Filesize
146KB

MD5
37b1429e7e0671bd1a61e99dd86cff71

SHA1
5b5f0c6bf438775a6d9966013dead771138e03e6

SHA256
f5b8ca4d2d55cd0fbd08ac098fc5ebf2f588881976605c91b50433e4cf4c5ccb

SHA512
2b30b03922086e6da383fadfc2e2e1ee529eced47d9a1a3763948b22cd312dd65d56c60e01c97e8fd4e6eb9b82c6a02342868e3c4057809cac8adb95ed4069c7

Download Submit
C:\Users\Admin\AppData\Roaming\pRiTJcKows.js

Filesize
432KB

MD5
034c080d4ba7e16b021e22a8d0dedf24

SHA1
da13f8f5b9913b5b6640b76810da6a04bef4f981

SHA256
f2d6b3e1d4aa68c00b02c86d480467397632b6dea31c46fc65c511b6c6e09976

SHA512
d1190857df51d350954c1011c49adc3839db447c1027026019e3d8b8ac3be54f5c4207240ddadbcb95ed5d0ab066cfa371cd691833034babbb243dc75a7ed556

Download Submit
C:\Users\Admin\AppData\Roaming\vkjqdkkhze.txt

Filesize
473KB

MD5
b6406389aefbf2586dc5366ca89dac5e

SHA1
51cfa13bd26f81bb09cd72f60a4a7726c54b4da1

SHA256
cb1eaa5ccbcfed884e6376661f724e0c0c1261ea6da751812e49b9ea2169f860

SHA512
ffa2dc94918bc6b54f704e660cc558b0269f871a2ca1bb74b43fd2648796207fbf014468e7c1c5d2c2c757b6be3ddaecd9c117a7edb6338933470db5e132c8f6

Download Submit
memory/2356-107-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-55-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-110-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-108-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-113-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-116-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-88-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-112-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-57-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-63-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-62-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-120-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/2356-71-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-80-0x000001ED86B20000-0x000001ED87B20000-memory.dmp

Filesize
16.0MB

Download
memory/2356-125-0x000001ED85300000-0x000001ED85301000-memory.dmp

Filesize
4KB

Download
memory/3504-99-0x000002283DAB0000-0x000002283DD20000-memory.dmp

Filesize
2.4MB

Download
memory/3652-105-0x0000017463170000-0x0000017463180000-memory.dmp

Filesize
64KB

Download
memory/3652-92-0x00000174616C0000-0x00000174616C1000-memory.dmp

Filesize
4KB

Download
memory/3860-52-0x000001CCED4F0000-0x000001CCEE4F0000-memory.dmp

Filesize
16.0MB

Download
memory/3860-51-0x000001CCED7C0000-0x000001CCED7D0000-memory.dmp

Filesize
64KB

Download
memory/3860-106-0x000001CCED4F0000-0x000001CCEE4F0000-memory.dmp

Filesize
16.0MB

Download
memory/3860-48-0x000001CCED7A0000-0x000001CCED7B0000-memory.dmp

Filesize
64KB

Download
memory/3860-47-0x000001CCED790000-0x000001CCED7A0000-memory.dmp

Filesize
64KB

Download
memory/3860-42-0x000001CCED4F0000-0x000001CCEE4F0000-memory.dmp

Filesize
16.0MB

Download
memory/3860-39-0x000001CCED770000-0x000001CCED780000-memory.dmp

Filesize
64KB

Download
memory/3860-37-0x000001CCED4D0000-0x000001CCED4D1000-memory.dmp

Filesize
4KB

Download
memory/3860-27-0x000001CCED4F0000-0x000001CCEE4F0000-memory.dmp

Filesize
16.0MB

Download
memory/3860-26-0x000001CCED4D0000-0x000001CCED4D1000-memory.dmp

Filesize
4KB

Download
memory/3860-14-0x000001CCED4F0000-0x000001CCEE4F0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads