vjw0rm | b3c5a0a3ac206fafac0c872021eb6b540942f301c72b2e09ad48d2e1c6ee679e | Triage

Sharing

General

Target

malware.js
Size

8KB
Sample

230221-zeqv9sge63
MD5

6133488aa55c35b2b8f8f5e987f2ce27
SHA1

a288f7774abdd0c1f337fe25259d6432b08e8a57
SHA256

b3c5a0a3ac206fafac0c872021eb6b540942f301c72b2e09ad48d2e1c6ee679e
SHA512

cb299228537ab9e51dd1eb6ac2f488f9b659dd421337d9033486efe7acbc62918e4765abe20e6d5ea8f9c6453cf3d9a2f934d45755db84aea47a9bf2acd3e1ea
SSDEEP

192:MA7/AIwPI9xHUn0zRblHk33+/VGzZC3BUOhOOZKdR:b/vmaxNRblHOqmOpW

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://jamnnd.duckdns.org:8024

Targets

- Target
  
  malware.js
- Size
  
  8KB
- MD5
  
  6133488aa55c35b2b8f8f5e987f2ce27
- SHA1
  
  a288f7774abdd0c1f337fe25259d6432b08e8a57
- SHA256
  
  b3c5a0a3ac206fafac0c872021eb6b540942f301c72b2e09ad48d2e1c6ee679e
- SHA512
  
  cb299228537ab9e51dd1eb6ac2f488f9b659dd421337d9033486efe7acbc62918e4765abe20e6d5ea8f9c6453cf3d9a2f934d45755db84aea47a9bf2acd3e1ea
- SSDEEP
  
  192:MA7/AIwPI9xHUn0zRblHk33+/VGzZC3BUOhOOZKdR:b/vmaxNRblHOqmOpW
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm