BOOK THIS SPACE FOR AD
ARTICLE AD-A Case Study of Vjw0rm
About:
Vjw0rm is a worm that spreads via USB drives and has RAT capabilities because it implements different commands transmitted by the C2 server. It establishes persistence on a machine by copying to the Startup folder and creating a Run registry entry. The malware drops a Java-based RAT called STRRAT, executed using the Java executable that can be found on the local computer or downloaded from a remote URL.
Analysis and findings:
SHA256: 2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e
JavaScript malware can be an infection vector leading to serious threats such as ransomware and spyware. We want to present a general approach that can be used to analyze any malicious JavaScript scripts.
As we can see in figure 1, the initial script is obfuscated, and we need to find a way to extract the relevant information:
We used js-beautify to beautify the JavaScript file. We identified a string that seems to be Base64-encoded (see figure 2).
The malware replaces the “_!” characters with “m” in the above string:
Figure 3 Box-js is a tool that can be used to execute and analyze a JavaScript file. Figure 4 shows that the malware creates a script called “KeunXSGcHu.js” in the “%AppData%” directory and runs it:
The transformed string is Base64-decoded, and then the script executes the new instructions.
As we’ve already seen, the malware creates a file called “KeunXSGcHu.js”, which is populated with a variable that is Base64-decoded, as highlighted below:
Another variable named “longText” is decoded by replacing the “_!” characters with “A” (see figure 7).
The script generates a random string consisting of a maximum of 10 characters using the “Math.random()” function. The “longText” variable is Base64-decoded, and its content is saved in a “.txt” file. The resulting file is a malicious JAR called STRRAT with the following hash: 0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a.
The malware tries to locate the Java executable on the machine by querying the following
registry keys:
Whether Java is found on the computer, the malicious JAR file is executed; otherwise, the “GrabJreFromNet” function is called:
The function mentioned above downloads an archive called “jre.zip” from “https[:]//aash[.]com.pk/jre.zip”. The archive content is extracted and saved in a folder called “jre7” in the “%AppData%” directory. A registry Run entry called “ntfsmgr” is used as a persistence mechanism to run the malicious JAR:
The implementation of the “UnZip” function is shown in figure 12:
In the “KeunXSGcHu.js” file, it is implemented a function similar to the one from the initial script:
Finally, after decoding the Base64-encoded string, we can identify the malware as vjw0rm (see figure 15).
The script verifies if the “HKCU\vjw0rm” registry key exists on the system, which would indicate a previous infection. If that’s not the case, the value is created and populated with “TRUE” or “FALSE”:
Figure 16The malicious script is copied to the Startup folder using the CopyFile function, as shown below:
The malware performs a POST request to the C2 server “http[:]//javaautorun.duia[.]ro:5465/Vre” with a custom User-Agent:
The user-agent contains the following information: computer name, username, serial number of all logical disks, operating system version, and antivirus software name (see figure 19).
Figure 19The worm implements the following commands:
Figure 20Cl command:
The command is used to terminate the script execution.
Sc command:
The process creates a temporary file, populates it with code sent by the C2 server, and executes it using the run function.
Ex command:
The command is used to execute JavaScript code transmitted by the C2 server.
Rn command:
The malware modifies the current script and executes the new file using wscript.exe.
Up command:
The malicious process creates a temporary file that is filled in with code and executed via Wscript.
Un command:
The command runs additional JavaScript code that might be used to uninstall the worm.
RF command:
Same execution flow as the Sc command.
We used Recaf to analyze the malicious JAR file. As shown in figure 21, the initial code appears to be obfuscated.
We have used Java deobfuscator to detect any obfuscators. Figure 22 reveals that the Allatori Java obfuscator has been identified:
After deobfuscating the file, we can spot many differences (figure 23). For example, a scheduled task called “Skype” is created by the RAT.
Figure 23We have decrypted the STRRAT configuration using this script:
We can highlight two C2 servers nneewwllooggzz.mefound[.]com and windowsupdatelogz.onedumb[.]com, and the http[:]//jbfrost[.]live URL that hosts the STRRAT plugins. STRRAT provides functionalities such as keylogging, uninstalling the application, updating the malware, downloading and executing files using cmd or Powershell, and so on:
SHA256:
2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a
Files created:
%AppData%\KeunXSGcHu.js
%AppData%\<random name>.txt
%AppData%\jre.zip
%AppData%\jre7
Registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr
HKCU\vjw0rm
C2 servers/URLs:
https[:]//aash[.]com.pk/jre.zip
http[:]//javaautorun.duia[.]ro:5465
http[:]//jbfrost[.]live
nneewwllooggzz.mefound[.]com
windowsupdatelogz.onedumb[.]com