vjw0rm | ae6fd665d99775c8880d301acec3edc28e44cf7e39338c5474533bb39dc3389c | Triage

Sharing

General

Target

receipt.js
Size

166KB
Sample

220622-jevapaafbj
MD5

3a6e3a42eda0c68307e16774cdb155c1
SHA1

1d72fb4eade35e91e7ced538e6b09a0860fb44a2
SHA256

ae6fd665d99775c8880d301acec3edc28e44cf7e39338c5474533bb39dc3389c
SHA512

5414eab172dcdf89f80153e1fae756f5b3bd7c6df410980040f158b083a875e530b6791af3157b0cb1648102ff247e9c5c0d357d4004230a70bfb26c4b4a55b3

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9003

Targets

- Target
  
  receipt.js
- Size
  
  166KB
- MD5
  
  3a6e3a42eda0c68307e16774cdb155c1
- SHA1
  
  1d72fb4eade35e91e7ced538e6b09a0860fb44a2
- SHA256
  
  ae6fd665d99775c8880d301acec3edc28e44cf7e39338c5474533bb39dc3389c
- SHA512
  
  5414eab172dcdf89f80153e1fae756f5b3bd7c6df410980040f158b083a875e530b6791af3157b0cb1648102ff247e9c5c0d357d4004230a70bfb26c4b4a55b3
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm