vjw0rm | 29ef503bce31e24fa949e6eac1c068019b0ef4d4f9ce91af55acde6d06698541 | Triage

Sharing

General

Target

PO.js
Size

16KB
Sample

221107-nnad4adfh5
MD5

d9cf358d33e0b914b807f31d6c58c5a7
SHA1

8eea7bf764edac96eb2a06f3a7301f6cec2d2bb8
SHA256

29ef503bce31e24fa949e6eac1c068019b0ef4d4f9ce91af55acde6d06698541
SHA512

06802248fa1440aceb565efdad5ac752d6f2469add00a0e1decc3e398b53a2975f80b55924fe98402c0e3c2ca4850c842a77b1ba189ea0067934028a6e90f6a9
SSDEEP

192:BdmxVneKi3B7oB8AmIufpDU1qLyAFsagU13pR8UAEbfK+bE+1FauvG6JY46272ii:eViR0B81Is61aykvpRrK+bZR72twdu

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://212.193.30.230:6505

Targets

- Target
  
  PO.js
- Size
  
  16KB
- MD5
  
  d9cf358d33e0b914b807f31d6c58c5a7
- SHA1
  
  8eea7bf764edac96eb2a06f3a7301f6cec2d2bb8
- SHA256
  
  29ef503bce31e24fa949e6eac1c068019b0ef4d4f9ce91af55acde6d06698541
- SHA512
  
  06802248fa1440aceb565efdad5ac752d6f2469add00a0e1decc3e398b53a2975f80b55924fe98402c0e3c2ca4850c842a77b1ba189ea0067934028a6e90f6a9
- SSDEEP
  
  192:BdmxVneKi3B7oB8AmIufpDU1qLyAFsagU13pR8UAEbfK+bE+1FauvG6JY46272ii:eViR0B81Is61aykvpRrK+bZR72twdu
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm