vjw0rm | 3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb | Triage

Sharing

General

Target

INVOICE.PDF.js
Size

2.7MB
Sample

230409-hx74tshg66
MD5

42a42d7b66691e3fff3e691d70703ce5
SHA1

9e57f573570d068b964c84b5d7cdbf1fb010e3d9
SHA256

3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
SHA512

bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
SSDEEP

24576:ydSySTD8C4AeGIfkZP5Xog8NWtQVNmxE/imwx+pBUqyO57ZPUm:nnuLh

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Targets

- Target
  
  INVOICE.PDF.js
- Size
  
  2.7MB
- MD5
  
  42a42d7b66691e3fff3e691d70703ce5
- SHA1
  
  9e57f573570d068b964c84b5d7cdbf1fb010e3d9
- SHA256
  
  3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
- SHA512
  
  bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
- SSDEEP
  
  24576:ydSySTD8C4AeGIfkZP5Xog8NWtQVNmxE/imwx+pBUqyO57ZPUm:nnuLh
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm