vjw0rm | 65f9ac79659c9a5646c680ae7dfab4dac62b11b6fa228559ecf35bf1ea18eed4 | Triage

Sharing

General

Target

9146083837.zip
Size

25KB
Sample

230213-1w649age89
MD5

3dc2e9d868165b46e4e4b051762c9d33
SHA1

01e1cd3269cffc52f96a78af0d4d666809f86f4f
SHA256

65f9ac79659c9a5646c680ae7dfab4dac62b11b6fa228559ecf35bf1ea18eed4
SHA512

25cbf9ce343ad9c84ca11f823de5abb395465bb86b171ba0ec1cc59a580c0f33c0531e4f14e339b0aaa4cf5f3de80b23be5ac5daed3d5a4c500575e8af8aadd3
SSDEEP

768:OlehDs2xBv5CJs6tumr1q3hu97iGug+OuJWdKJj:944v5CJNtt1qEiB

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://sgdghhdh62.duckdns.org:8050

Targets

- Target
  
  9146083837.zip
- Size
  
  25KB
- MD5
  
  3dc2e9d868165b46e4e4b051762c9d33
- SHA1
  
  01e1cd3269cffc52f96a78af0d4d666809f86f4f
- SHA256
  
  65f9ac79659c9a5646c680ae7dfab4dac62b11b6fa228559ecf35bf1ea18eed4
- SHA512
  
  25cbf9ce343ad9c84ca11f823de5abb395465bb86b171ba0ec1cc59a580c0f33c0531e4f14e339b0aaa4cf5f3de80b23be5ac5daed3d5a4c500575e8af8aadd3
- SSDEEP
  
  768:OlehDs2xBv5CJs6tumr1q3hu97iGug+OuJWdKJj:944v5CJNtt1qEiB
Score

1^/10
behavioral1 behavioral2
- Target
  
  6b310d2dfcf461efdf51d7aa156cabcf75b74a8eef838c2fd32a1018baabd2a5
- Size
  
  222KB
- MD5
  
  f579e228680843578ea1d799f1c42f8c
- SHA1
  
  5da5fb2ee477c419c098b3ec2067297a131815f6
- SHA256
  
  6b310d2dfcf461efdf51d7aa156cabcf75b74a8eef838c2fd32a1018baabd2a5
- SHA512
  
  7ef25e460671ba49368a64040f139559757b2927997343d8cf51d4432cbde5984368cfdd1c9bb6c7e38a32369ad283be4ced7d1a33ad93c5855796e10a904064
- SSDEEP
  
  3072:kdjjYRucFutbf1O1OVuVuVuVuNjQAmXPvf/a6qKiCySOue+W2mGMsc80UEkQwweo:k3c684guA6d
Score

1^/10
behavioral3 behavioral4
- Target
  
  1ZUSEWYOK07HKSA-Payment_Receipt.vhd
- Size
  
  6.0MB
- MD5
  
  d85f12e9ce7de83d8163bc68d4366ae8
- SHA1
  
  755414bde4e6c023da1a3b45e3dbfe463e932ef9
- SHA256
  
  554f2986118eacbe2a162883e2396ac4be1bc2d1fdf51a6fe7867eb4ef58ac21
- SHA512
  
  3c6a0599ab3795db92b35dadf7131e40512d791124d27c028b3ec5211c0031c11fb27c01a82adf936586131d59f456aff438641882b5a4a5a821f6427d97dae3
- SSDEEP
  
  12288:3b9Xn7Mu3qI70c9viIRub9Xn7Mu3qI70c9viIR:3JX7MA0c9vxkJX7MA0c9vx
Score

3^/10
behavioral5 behavioral6
- Target
  
  1ZUSEWYOK07HKSA-Payment_Receipt.js
- Size
  
  300.0MB
- MD5
  
  a06c086617a359d32f307f1eefebdec9
- SHA1
  
  e03f86ffa51195d5c83b0e6a34634972bbf54b5a
- SHA256
  
  7fd7e1acd3c7ff1a590ef300f5fe1e03add64200ae18b489519984ebdc0c7e84
- SHA512
  
  d7b562c9d70304f7e40b0bd4e1f0117bfbabcbcd6529d785e4cf8631c4f00b0271ddd315553ebbfb355f35d8b281e6586d6f7619ac8389cd61a57bd96e2ba65f
- SSDEEP
  
  3072:pjY9uQNXf0j/uVpaAKbzjFS0tNm0tkx0mNmv0tNCpi:
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  System Volume Information/WPSettings.dat
- Size
  
  12B
- MD5
  
  a9ef3aa2e3d9657648d5e3c17d24978a
- SHA1
  
  58d8998481c30413fb624f7425922bdd4fb25645
- SHA256
  
  43fa536aa01e49280fc1fe0a570df38cf7e87f8104a5a51ce98f5cbef2b99cbf
- SHA512
  
  643d7b7f3b688d55f4f18956fa976c904ac8ce658e11ce7f4f2f49faba5f514482a3d86402c991df537fd8a53c74abc61569334592fc2f011d2360cbb1f5b3ef
Score

3^/10
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

vjw0rmpersistencetrojanworm

behavioral8

vjw0rmpersistencetrojanworm

behavioral9

behavioral10