vjw0rm

Resubmissions

31/10/2022, 16:50

221031-vcfkascdam 10

Sharing

Copy URL Twitter E-mail

General

Target

1b12c5d8-6942-2d7f-6704-aba706937dfe.eml
Size

8.2MB
Sample

221031-vcfkascdam
MD5

7d3a506775ce7a6ff3032240686a0aee
SHA1

fbd461c0a5638c7a137300fabf75ef73de51075f
SHA256

5d702d1a61995f9c453734735fb7e3feb7578211b45aff9adb77dec4f6f61ffd
SHA512

7e4b74815b5ad889c01efc4a25d8fe07d904833c40c16bfdb4e1ab163c4e7baaa94d3696892a6af758ef419f50d270498f018b3c0e324febb0c4a951c8208c5e
SSDEEP

24576:NOz/y51YBfxe6D/MPz30x44a41V4444CA44E44X49444rXX44cr4U4O4OIh:se1e4

Score

10^/10

Malware Config

Extracted

Family

vjw0rm

http://wordz54.duckdns.org:9010

Targets

- Target
  
  invoice.vhd
- Size
  
  6.0MB
- MD5
  
  b24242219ffb9ed3a0b9e7eaacaac478
- SHA1
  
  fd7d870c7684c4a46da3e7500c37080bc0e81533
- SHA256
  
  0a2aeb9a8ba4f527fd362434b449ef7200a5049ad19bfa53b8b4ef59cda40067
- SHA512
  
  7a274dbefcf85e971c00017552bb51e1924bab704ae0411fea7f3a75e151b4284ee781f9407b7582548ccf4a75569bd4de56280f229136a6e2bf3e1f0a1a9673
- SSDEEP
  
  6144:MhhAqNRvU+SV6ukYulDTHKqFSC6M+cnyJZAneGwJZfNiINtyTHiB0dJo+sSM8F2:MhhAANCkJlqqFSC6dcyQo15E3zM8F2
Score

3^/10
behavioral1 behavioral2
- Target
  
  $RECYCLE.BIN/$IHL25IB.exe
- Size
  
  58B
- MD5
  
  e525b1a752fa89402a6f305a1da9078e
- SHA1
  
  f315006d26e30d46f837fbcd0a913e35966733f7
- SHA256
  
  f30599fc822f68993af5769437d8f8858ebc49f8d3f3fdaf7063ceec43320994
- SHA512
  
  340d4415968e76ae061ec74811b7c4e27424c1610fc642b2b2d30a376372e3444ffdadaf27a331181d4607503b2c9e1f9a6d584199f0d769bef7d7f03444f622
Score

1^/10
behavioral3 behavioral4
- Target
  
  $RECYCLE.BIN/$IJXIQS1.bat
- Size
  
  48B
- MD5
  
  27748c2c09d1ee70dc432474a68675f3
- SHA1
  
  f665d9e7887e80dd24f1952ab596262acef7f17e
- SHA256
  
  e7004d84c2074974a9276ebd34fab3a1dd1e11c51fa098f6b8d4b3a752762fca
- SHA512
  
  f1b602874b0ac7c37eb1d00d6ae25587921361e7caf26d6c802d7b2bbc28af1bc17b544eb89c40b7f88cfd86fc77cded0ae88530106b4b657b75180b64fe756b
Score

1^/10
behavioral5 behavioral6
- Target
  
  $RECYCLE.BIN/$RHL25IB.exe
- Size
  
  181KB
- MD5
  
  dee74fb4b0a75386df85859443bc7cea
- SHA1
  
  1dd13451cf532dad57321840476300f7d91f2d26
- SHA256
  
  3054aceb57920cfbdf9e5f276d9037a804bcfcea1ee125da4ee2300ed335e666
- SHA512
  
  6d7b5d3c723bca9bd077e665bd254ee924e05477bebb55376fcaadf2892c4410780afabc3970f8085e373ddd7e104800018681da432b33ce8dba159463b7a292
- SSDEEP
  
  1536:B1s+W+yEReHiB0dJoVssssssswksck930mlSF:BDyTHiB0dJoVssssssswks5hSF
Score

9^/10

discovery persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  $RECYCLE.BIN/$RJXIQS1.bat
- Size
  
  325KB
- MD5
  
  09329152d36bbe721ce3504787436cf2
- SHA1
  
  713a6fb0da4a111649bc7268f193ba52463e3576
- SHA256
  
  67e3ece7d1bf12285f01930d6eb28b91ba4a02551d24648ddc79a17cbb9d9423
- SHA512
  
  ee5ad3c41a7822bcc759fa3a33dd2d404cf57f1b074973a61f59c2163bb4062c908b820eb9a0e7fde009be42e6cdcab85ea5373805bbc242ea47957c9fd44a7e
- SSDEEP
  
  6144:uhhAqNRvU+SV6ukYulDTHKqFSC6M+cnyJZAneGwJZfNiINj:uhhAANCkJlqqFSC6dcyQo15j
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral9 behavioral10
- Target
  
  $RECYCLE.BIN/desktop.ini
- Size
  
  129B
- MD5
  
  a526b9e7c716b3489d8cc062fbce4005
- SHA1
  
  2df502a944ff721241be20a9e449d2acd07e0312
- SHA256
  
  e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
- SHA512
  
  d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
Score

1^/10
behavioral11 behavioral12
- Target
  
  System Volume Information/IndexerVolumeGuid
- Size
  
  76B
- MD5
  
  c6bcef47098fac9c4262ed95484ab6e9
- SHA1
  
  66a75fc78ebb446b493cbb94d6095c3175ee57a1
- SHA256
  
  674a17687944b39796f2ba3578fbcc17f31e8754ff5e563e2ba47ce0e54dcea0
- SHA512
  
  6efa8ef3a1468c9db68a9a34c80b9d7349df6bef374bfe642def2bd832f49b8cb5f41e1c61cf21f229ed93a8e4d50cecf73864e75ec6b6c19e3c3f65881d686e
Score

1^/10
behavioral13 behavioral14
- Target
  
  System Volume Information/WPSettings.dat
- Size
  
  12B
- MD5
  
  12a04e49031945a14f38e23471c8654b
- SHA1
  
  cbde78e9a3d3396b673b93274c456d760097c47e
- SHA256
  
  b70015cd10c6119ce84fe9870172372c493610641f5210405a417259551ba5eb
- SHA512
  
  c9014cc8e51c286853499f571f479287e4cefc0c6a6bbbdc13c90f875487d9920cfe55ac5e57298539196e705e198c4bee179a33082191b493898c3e473ed631
Score

3^/10
behavioral15 behavioral16
- Target
  
  invoice-041.js
- Size
  
  30KB
- MD5
  
  8b8f2549bbebd12bb6e8360fab076d23
- SHA1
  
  6a96c8376b036428e7fa6df6d2cbee855afee2ef
- SHA256
  
  81061c078ee3a05adab2bc0a001e4bb3fd61b48dfb91af1a3de114806f012a2c
- SHA512
  
  8c9bd6c693d8cd9776996d0c15e04c909eb5fb8a86672bd88fd5338df79544325e2855013c4825bbbfc9a7ae1025e2de4e2b77d041c7c2abbc3d52249ea65a9a
- SSDEEP
  
  768:yUz+Bbpd+RNmrwMoVJpbJF/S2Iaf9fg1Q7Bp7zMn8sK:yl+YVoVJpbj/SNaf9LBp7zMn8sK
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral17 behavioral18

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Creates a large amount of network flows

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18