vjw0rm | d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 | Triage

Sharing

General

Target

HAWB#68564359.pdf.js
Size

4.5MB
Sample

230329-jm45vsfc89
MD5

9cf2c793029ae8dd84a387ba66e8c432
SHA1

48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10
SHA256

d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9
SHA512

33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848
SSDEEP

24576:8NLb0+2xYFsLoDw9svltZ7r55HNYYkY4WOxbZQCgvRo5PD1rMLSeGU0pOlBY9Pcw:3ueQa

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Targets

- Target
  
  HAWB#68564359.pdf.js
- Size
  
  4.5MB
- MD5
  
  9cf2c793029ae8dd84a387ba66e8c432
- SHA1
  
  48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10
- SHA256
  
  d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9
- SHA512
  
  33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848
- SSDEEP
  
  24576:8NLb0+2xYFsLoDw9svltZ7r55HNYYkY4WOxbZQCgvRo5PD1rMLSeGU0pOlBY9Pcw:3ueQa
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm