vjw0rm | efdd73efd31e03ec70a94afaf7067bad362ed8187ed9e82ab59d08cbe485bf32 | Triage

Sharing

General

Target

Waybill_006029.js
Size

8.0MB
Sample

230215-sj21rscd36
MD5

fd2bcbb9ba1b2b7a4eadc90285045b22
SHA1

c1b3ac3a1704dc52bd8d1a4d9e25a99ee30c3575
SHA256

efdd73efd31e03ec70a94afaf7067bad362ed8187ed9e82ab59d08cbe485bf32
SHA512

e1694b824b891891d02ce679417f7e62c8620238f99eb8a359a138cd4402f230eceb321b9f4f8641b9801e708eccfe44f3ba1162c2063f4529adfe61392e3da6
SSDEEP

192:OH/fm64O+DPY9DckYBMGfnvn99mVZadmrnfYjQadqx2h3ahcbbDPI3ZheEX5JL4Q:4fm64O+PY9DbaPV6ainc82haOXPmZl

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://febfeat.duckdns.org:40012

Targets

- Target
  
  Waybill_006029.js
- Size
  
  8.0MB
- MD5
  
  fd2bcbb9ba1b2b7a4eadc90285045b22
- SHA1
  
  c1b3ac3a1704dc52bd8d1a4d9e25a99ee30c3575
- SHA256
  
  efdd73efd31e03ec70a94afaf7067bad362ed8187ed9e82ab59d08cbe485bf32
- SHA512
  
  e1694b824b891891d02ce679417f7e62c8620238f99eb8a359a138cd4402f230eceb321b9f4f8641b9801e708eccfe44f3ba1162c2063f4529adfe61392e3da6
- SSDEEP
  
  192:OH/fm64O+DPY9DckYBMGfnvn99mVZadmrnfYjQadqx2h3ahcbbDPI3ZheEX5JL4Q:4fm64O+PY9DbaPV6ainc82haOXPmZl
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm