vjw0rm | 93a3bcccf1a3ae246ff754f0ef386d9e76367a14968e8a48c1993b403e43ba24 | Triage

Sharing

General

Target

INVOICETW002.js
Size

9.0MB
Sample

230216-m99kmsgh61
MD5

ad72675c63043b6516dc19c5bd3c54fa
SHA1

6e11de29ef4ea95947a224a6f1b368268f9c2be3
SHA256

93a3bcccf1a3ae246ff754f0ef386d9e76367a14968e8a48c1993b403e43ba24
SHA512

a95f846ded44e64c6ad8057927e557a571eeb857761e7b190ec1873cf2cbf396f1458cf95bd0ac25d500c43197fbd4149f512d75182271155a28d8ccd2cfc950
SSDEEP

192:SB41HdWH9RPX9xkOS+0pkyTKuwWXgXS9B64/K20+WSH:qqHYdl9xkOSOyuWXgXx2T

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://mikemons767.duckdns.org:8023

Targets

- Target
  
  INVOICETW002.js
- Size
  
  9.0MB
- MD5
  
  ad72675c63043b6516dc19c5bd3c54fa
- SHA1
  
  6e11de29ef4ea95947a224a6f1b368268f9c2be3
- SHA256
  
  93a3bcccf1a3ae246ff754f0ef386d9e76367a14968e8a48c1993b403e43ba24
- SHA512
  
  a95f846ded44e64c6ad8057927e557a571eeb857761e7b190ec1873cf2cbf396f1458cf95bd0ac25d500c43197fbd4149f512d75182271155a28d8ccd2cfc950
- SSDEEP
  
  192:SB41HdWH9RPX9xkOS+0pkyTKuwWXgXS9B64/K20+WSH:qqHYdl9xkOSOyuWXgXx2T
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm