vjw0rm | 383161ff3e03ff39f396725cef6bae622040bcd5aff25df8b147c1fd9639daef | Triage

Sharing

General

Target

H656_Payment_receipt_Pdf.js
Size

300.0MB
Sample

230323-pnsq4sff23
MD5

606730f4cf8cb008adb76fe44b85d6dd
SHA1

84a3a53eab776e4efc24b2149b262e4bbd3c1d6b
SHA256

383161ff3e03ff39f396725cef6bae622040bcd5aff25df8b147c1fd9639daef
SHA512

e5bfd75ec3993672c893bdd456dbd5839a392425ee8c5d802f87f4e5fb23ee24b4c9027c1818f2f4ca6f2667c1f1658b15b7f8bdbbb4aa21eedbb1dfb5c5e6df
SSDEEP

192:EZYg0luzi75WbAZvD1hdh12cB5kw94tMa3dZYkVdPrv1kc8KuIVLk5/lWWWnazhC:EZfz5Khy24jHuHFqWWsW8WHKSqm7S

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://js9300.duckdns.org:9300

Targets

- Target
  
  H656_Payment_receipt_Pdf.js
- Size
  
  300.0MB
- MD5
  
  606730f4cf8cb008adb76fe44b85d6dd
- SHA1
  
  84a3a53eab776e4efc24b2149b262e4bbd3c1d6b
- SHA256
  
  383161ff3e03ff39f396725cef6bae622040bcd5aff25df8b147c1fd9639daef
- SHA512
  
  e5bfd75ec3993672c893bdd456dbd5839a392425ee8c5d802f87f4e5fb23ee24b4c9027c1818f2f4ca6f2667c1f1658b15b7f8bdbbb4aa21eedbb1dfb5c5e6df
- SSDEEP
  
  192:EZYg0luzi75WbAZvD1hdh12cB5kw94tMa3dZYkVdPrv1kc8KuIVLk5/lWWWnazhC:EZfz5Khy24jHuHFqWWsW8WHKSqm7S
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm