vjw0rm | 0507b44565581b01f61b3119270889a78ff24d0df00bf3c83c95dbb6090534fa | Triage

Sharing

General

Target

RMB_payment.js
Size

79KB
Sample

220617-kbvbysbbbn
MD5

17dcce0cdb0204dac6c5bcbc0556158f
SHA1

512d68eec84b5fec6fc89e9a0a71f853540c32e3
SHA256

0507b44565581b01f61b3119270889a78ff24d0df00bf3c83c95dbb6090534fa
SHA512

f90ce3330e13221b8a2ad945c27a6a73ad2739761337200ad3d9d72a31c645f14bd1ea6a2373ba2e1f761565166dca22444bca01c04876a13351904fb50cabae

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Targets

- Target
  
  RMB_payment.js
- Size
  
  79KB
- MD5
  
  17dcce0cdb0204dac6c5bcbc0556158f
- SHA1
  
  512d68eec84b5fec6fc89e9a0a71f853540c32e3
- SHA256
  
  0507b44565581b01f61b3119270889a78ff24d0df00bf3c83c95dbb6090534fa
- SHA512
  
  f90ce3330e13221b8a2ad945c27a6a73ad2739761337200ad3d9d72a31c645f14bd1ea6a2373ba2e1f761565166dca22444bca01c04876a13351904fb50cabae
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm