vjw0rm | fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dff | Triage

Submit
Reports

Overview

overview

Static

static

3

fb1dddc298...fN.exe

windows7-x64

fb1dddc298...fN.exe

windows10-2004-x64

Sharing

General

Target

fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN
Size

359KB
Sample

240919-1sjvjsseqe
MD5

8168ebc24991383d3ca87a3641cddf50
SHA1

099589f333ff8cab37ea6dcbc27b5873305b125a
SHA256

fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dff
SHA512

2a5131ce1e50ece6873899d2f90659bf5a5a1b4f77a38f32e714665507f9b4bfb8042d4568692c535cd8a150d7ef42354504a5819984944fc074a1c263b5bc08
SSDEEP

6144:VT17ZpbhRqk8WwtB17ZpbhRBk8Wwt0717ZpbhRqk8WwtwDdG/cw:Xqk8WwtTBk8WwtAqk8Wwtwuc

Score

10^/10

vjw0rm discovery execution persistence trojan worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe

Resource

win7-20240903-en

vjw0rm discovery execution persistence trojan worm

windows7-x64

19 signatures

120 seconds

Behavioral task

behavioral2

Sample

fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe

Resource

win10v2004-20240802-en

vjw0rm discovery execution persistence trojan worm

windows10-2004-x64

26 signatures

120 seconds

Malware Config

Targets

- Target
  
  fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN
- Size
  
  359KB
- MD5
  
  8168ebc24991383d3ca87a3641cddf50
- SHA1
  
  099589f333ff8cab37ea6dcbc27b5873305b125a
- SHA256
  
  fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dff
- SHA512
  
  2a5131ce1e50ece6873899d2f90659bf5a5a1b4f77a38f32e714665507f9b4bfb8042d4568692c535cd8a150d7ef42354504a5819984944fc074a1c263b5bc08
- SSDEEP
  
  6144:VT17ZpbhRqk8WwtB17ZpbhRBk8Wwt0717ZpbhRqk8WwtwDdG/cw:Xqk8WwtTBk8WwtAqk8Wwtwuc
Score

10^/10

vjw0rm discovery execution persistence trojan worm
- Modifies WinLogon for persistence
  persistence
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmdiscoveryexecutionpersistencetrojanworm

behavioral2

vjw0rmdiscoveryexecutionpersistencetrojanworm

© 2018-2024

Terms | Privacy