vjw0rm | fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d | Triage

Sharing

General

Target

32_94_payment_bv_xls.vhd
Size

50.0MB
Sample

230311-1k776sdc2t
MD5

3b668f406c5bf368ad1b717f2c5dfecd
SHA1

0aece060ceae8581b79e7678373c1bfcc0e53aa9
SHA256

fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d
SHA512

134cfd04ab23e5b96d5414db44fef9ab077319773912b4a6a727595cf1f1715a7343209f80a1bd8818aef9ee37cc748fedae9f44d1a9b431449f0d50f67d850d
SSDEEP

12288:Ab9Xn7Mu3qI70c9viIROLob9Xn7Mu3qI70c9viIROL:AJX7MA0c9vxkMJX7MA0c9vxk

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://js9400.duckdns.org:9400

Targets

- Target
  
  $RECYCLE.BIN/$I4FIL8H.js
- Size
  
  544B
- MD5
  
  3bb5ddbbc15c65e6d7af1c41a877bf2f
- SHA1
  
  c9411803abd57b1c62936f7a973fde45b792a0f9
- SHA256
  
  73cfb6a30179d5759f151505756edd832bdfe6675424cdfef2d0d95b9265fe14
- SHA512
  
  6b3eacbd3de4c5ec44852cef7349062d206f3af35f6f315a9e57af6023ac3cd563bd4bfc3f1ce4a1ca69e394e2fd33bec7a7185bac289be7ac713bc24a497686
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  $RECYCLE.BIN/$I5VEPRW.js
- Size
  
  544B
- MD5
  
  7fcacbf214c7091a4e52f42ba83ca75a
- SHA1
  
  93e6071f014cd5f47dbc0e52c93aadcde29e1457
- SHA256
  
  1704bea192c12c3d81474e73f5d0a2cc98cb57e9440e3f033862bd85f5980f85
- SHA512
  
  bae645c2ac3758975d468413e430c22c8c9803d90b65ea2d593ab542f901ad771bec89a6eef87103b28105a38addfa97cabb794f488caeb6024542d5c5a8f27f
Score

1^/10
behavioral2
- Target
  
  $RECYCLE.BIN/$IMH8R2U.js
- Size
  
  544B
- MD5
  
  2c4439dfc4bfb10e8bf9eb4c2932e067
- SHA1
  
  925eba054aae34b564c9f70f6813b70eedc744f8
- SHA256
  
  161b64c65461b1aa5fbbdfb7d465686ba02b4b3d89a19aaafb2f1a0f4f72597a
- SHA512
  
  64f02a63b754586e03a27547f4a2c468307318768bfb24bbb7ad3e02fc726c9e057e1770e8f84b849aad93f9751a655082129bde03a1c45afb6edf495f588501
Score

1^/10
behavioral3
- Target
  
  $RECYCLE.BIN/$R4FIL8H.js
- Size
  
  9.0MB
- MD5
  
  5d97ab7f843e6c18b96c4e34bd65ff09
- SHA1
  
  9ad9f18b92f57a3e1536a552dc3e4081b34169e2
- SHA256
  
  eb841738aeb5f98695da31d3ebe1bf241f8411283373fd6e99788fc52903b1be
- SHA512
  
  116897043738962c9e059d4701e01b3f36987100a00951ef020c2481dc100a3a59eaf106e5c96b042019dceb53b3a143454c6aaa861262bf2d24c45651699e81
- SSDEEP
  
  96:kZH1uyAXIXGou2lcJc9l2JEuft2v2wz2zadZxOBeFcr3vVkcZBIKkcZBe4KcZUCS:kZVhpngJpG2wz2xkFm3vVEKZpFEm
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  $RECYCLE.BIN/$R5VEPRW.js
- Size
  
  97KB
- MD5
  
  7afbb2051c1ba1c1e88c499c5e11636a
- SHA1
  
  4b2a14b3ca310b1f39959c130ae7b72a03078873
- SHA256
  
  74fc83dc153086db0329b982e73e8bee4b652d1265c8185b0b4374898a112d06
- SHA512
  
  c506d2d13383948d9acfafdc152f81326fc73381530fbb019794f9bc2b7733b3b455f6eddc92d597614f0f6d641f391d737f93f809486707cb1d8f84378309ec
- SSDEEP
  
  384:chWWz5Kfy24jHueR45qWWxWBWHKSqmqR4G:XYG
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  $RECYCLE.BIN/$RMH8R2U.js
- Size
  
  97KB
- MD5
  
  7aab68aeb388528f9e3448ea0dce56d7
- SHA1
  
  07d648c7247e2db064b7ba1b1b21722c475e3396
- SHA256
  
  610eb77c6ef6c0767a1b8d0157b39ea5105697ffdf31d2afa5963e4da8cd0cb8
- SHA512
  
  1f59fd8a717ff3bf9f57452440a6e08907cd9c32050aa399ab0a591c6109486410e74d21d5ee41355b4b041f4dd88c679d8077b611cfaea9c597aaa67ed0e8b4
- SSDEEP
  
  384:chWz5Kfy24jHueR45qWWxWBWHKSqmqR4G:OYG
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  $RECYCLE.BIN/desktop.ini
- Size
  
  129B
- MD5
  
  a526b9e7c716b3489d8cc062fbce4005
- SHA1
  
  2df502a944ff721241be20a9e449d2acd07e0312
- SHA256
  
  e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
- SHA512
  
  d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
Score

1^/10
behavioral7
- Target
  
  System Volume Information/IndexerVolumeGuid
- Size
  
  76B
- MD5
  
  4bc8091d9ef99a5cb61254af0f9007a5
- SHA1
  
  6367eaddd9a49ac051e1f8d1685dde8346207c31
- SHA256
  
  47ce805c3cabd8d8f19e3a4555256e7fbd5a618f13554faca1ba7b6d7a88d6eb
- SHA512
  
  499e679d57e418dc1aa7afc9081e72b7547a6f8d82560dd786f517b1b70cd27941356b04d5eaba1c448d64282a78b0287ba72c5e28c6d8cc7e4c03df22de2755
Score

1^/10
behavioral8
- Target
  
  System Volume Information/WPSettings.dat
- Size
  
  12B
- MD5
  
  bf8c557e1c3c28ed3bc3213920576ff1
- SHA1
  
  863e227e338d6b8e056f3286b4d66f3bbf4e1ac1
- SHA256
  
  410696eb28b1d2150b093aa2a392ce82c31afd887fd324600c4a9fe54d42a34f
- SHA512
  
  e80edc340a2f720eb24b94488362f3f2511c1fd02f3b5e280305e2a2be0b5c923f05f442951f6558d8b5a83eadd913a78c99d12334aa530d3e48db1207624f74
Score

3^/10
behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

vjw0rmpersistencetrojanworm

behavioral5

vjw0rmpersistencetrojanworm

behavioral6

vjw0rmpersistencetrojanworm

behavioral7

behavioral8

behavioral9