vjw0rm | 9296cb6b37e1aa570675bcc07519b5887d20ec6617efa84d900286a8a829c994 | Triage

Sharing

General

Target

Statement-Invoice.js
Size

10KB
Sample

220708-1bgc4ahfal
MD5

c94c70544e1792362319f444ff1969ba
SHA1

0b8712b610744c9bf0cb469662f7823ed71e84b9
SHA256

9296cb6b37e1aa570675bcc07519b5887d20ec6617efa84d900286a8a829c994
SHA512

001eb00bf2851c8cda1bbf2ccb9a7d624378896d6a8cce02e99af4e0c7c2751d2cbc496c3c98d0f0535d1c0413e06c5a72b542f7d4b5e2f2c78b4ac5b04a1512

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://hwprocessing.duckdns.org:9933

Targets

- Target
  
  Statement-Invoice.js
- Size
  
  10KB
- MD5
  
  c94c70544e1792362319f444ff1969ba
- SHA1
  
  0b8712b610744c9bf0cb469662f7823ed71e84b9
- SHA256
  
  9296cb6b37e1aa570675bcc07519b5887d20ec6617efa84d900286a8a829c994
- SHA512
  
  001eb00bf2851c8cda1bbf2ccb9a7d624378896d6a8cce02e99af4e0c7c2751d2cbc496c3c98d0f0535d1c0413e06c5a72b542f7d4b5e2f2c78b4ac5b04a1512
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm