vjw0rm | fd12bc99829e1bf6b3d47705419e33055763a3a375e3069ff5e3d9654c5e461b | Triage

Sharing

General

Target

d4b928defdafd9c54fe69160ba650cc8.bin
Size

160KB
Sample

230116-kp12nagc8t
MD5

49a7482d6a5e4d00d5cf9bfc7542fd35
SHA1

4f73aecfcbac2c8cd8f90e407e73bdb76d06cdea
SHA256

fd12bc99829e1bf6b3d47705419e33055763a3a375e3069ff5e3d9654c5e461b
SHA512

d7194d0d9ee036ca673cfbe4b34b2b4f80a7236da804d99291c2e93289437c65c5c45d67014a99f71630862ba029b70269505c923eae9005d820dad60cf2aea4
SSDEEP

3072:N6bECIMix2cUZcVlnO1qfDiYmaKsPPwDyEwjftU5PQzQ:U8VxpV/IqfuYeyEGU5AQ

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Targets

- Target
  
  7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js
- Size
  
  260KB
- MD5
  
  d4b928defdafd9c54fe69160ba650cc8
- SHA1
  
  041715d3775045016dfbebb68f8e4964c8ad123a
- SHA256
  
  7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee
- SHA512
  
  a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4
- SSDEEP
  
  6144:EPP/pyxHpiGSxCXJZTv+jCtMX1/MJIUDKi:EPXpyR17r+jCtMl/kD9
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm