vjw0rm | 779d2a6161c86c42ce9ed2888117b72a6778f050153654a0d9c0aa1e3ec3cfdc | Triage

Sharing

General

Target

receipt.js
Size

66KB
Sample

220313-t4s42aabhl
MD5

6f3064d19d9af3374af22dd40df47850
SHA1

9a663a6b13430cc5018a23b348850ff76644f5fb
SHA256

779d2a6161c86c42ce9ed2888117b72a6778f050153654a0d9c0aa1e3ec3cfdc
SHA512

f8ba075afddbb3f3f7f64af145cbd9e70c02710689c70d47959f3e9ca38593bc29a6c28896ffb19621802a09981ebf31a96630d9cff115c91e25335f18e21f85

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9001

Targets

- Target
  
  receipt.js
- Size
  
  66KB
- MD5
  
  6f3064d19d9af3374af22dd40df47850
- SHA1
  
  9a663a6b13430cc5018a23b348850ff76644f5fb
- SHA256
  
  779d2a6161c86c42ce9ed2888117b72a6778f050153654a0d9c0aa1e3ec3cfdc
- SHA512
  
  f8ba075afddbb3f3f7f64af145cbd9e70c02710689c70d47959f3e9ca38593bc29a6c28896ffb19621802a09981ebf31a96630d9cff115c91e25335f18e21f85
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm