vjw0rm | d7f9500aa960463e10753337efdb37659e0a9923206b284a9bff56981ef2f658 | Triage

Sharing

General

Target

uACNKYayoW_wama.js
Size

41KB
Sample

221125-h287padg9t
MD5

5c8ff125cbe4ed171a5b451ccf76a0e5
SHA1

9e4c5cbeeb2ba5fcca9e260f56131289b8e85192
SHA256

d7f9500aa960463e10753337efdb37659e0a9923206b284a9bff56981ef2f658
SHA512

2235dfc79d56df74d40dd1bd701c39c7333621b72eefded27baa1810db10e4ec77e7f1251ecd6f5f882b39ab95d74cecf0a6ce3d11a2b94c86ee5a25ce5b5cab
SSDEEP

768:0U3iWK5RtLHuGFDYZWjQ+I0ZosTO9pFUqcnp7TZVyxCGRu:cpp85DUqcntTZVyxhRu

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://45.139.105.174:7575

Targets

- Target
  
  uACNKYayoW_wama.js
- Size
  
  41KB
- MD5
  
  5c8ff125cbe4ed171a5b451ccf76a0e5
- SHA1
  
  9e4c5cbeeb2ba5fcca9e260f56131289b8e85192
- SHA256
  
  d7f9500aa960463e10753337efdb37659e0a9923206b284a9bff56981ef2f658
- SHA512
  
  2235dfc79d56df74d40dd1bd701c39c7333621b72eefded27baa1810db10e4ec77e7f1251ecd6f5f882b39ab95d74cecf0a6ce3d11a2b94c86ee5a25ce5b5cab
- SSDEEP
  
  768:0U3iWK5RtLHuGFDYZWjQ+I0ZosTO9pFUqcnp7TZVyxCGRu:cpp85DUqcntTZVyxhRu
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm