vjw0rm | 926bf4e2106127115a1858a76c51849f14d728788d9344592ed9be240268236b | Triage

Sharing

General

Target

Interac.js
Size

6KB
Sample

230314-x5hw8shd96
MD5

dd60d66a1dc35b908e411406cab297c3
SHA1

f2de9ac704ee354a3c4ae88acb7ab6fc16abad43
SHA256

926bf4e2106127115a1858a76c51849f14d728788d9344592ed9be240268236b
SHA512

cf31f62ba7a088d9cd20a806a3ea9bdb63bfde3d1b00f2ae0974c00772865753becbc1d909ff129a3c69813d78a53286d8e65cab7ad7aa518dec82f40288eb1d
SSDEEP

96:hZH1uy6XIzBom2lcJc9l8YXfJJ2w2ZzH+IcbRNoFjda2LPsSa2Liie262kPV8Ua/:hZVh7zAei2w2ZzeIuNoVdn9K7V8Un0

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://ourvjworm.duckdns.org:7974

Targets

- Target
  
  Interac.js
- Size
  
  6KB
- MD5
  
  dd60d66a1dc35b908e411406cab297c3
- SHA1
  
  f2de9ac704ee354a3c4ae88acb7ab6fc16abad43
- SHA256
  
  926bf4e2106127115a1858a76c51849f14d728788d9344592ed9be240268236b
- SHA512
  
  cf31f62ba7a088d9cd20a806a3ea9bdb63bfde3d1b00f2ae0974c00772865753becbc1d909ff129a3c69813d78a53286d8e65cab7ad7aa518dec82f40288eb1d
- SSDEEP
  
  96:hZH1uy6XIzBom2lcJc9l8YXfJJ2w2ZzH+IcbRNoFjda2LPsSa2Liie262kPV8Ua/:hZVh7zAei2w2ZzeIuNoVdn9K7V8Un0
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm