vjw0rm | 81e404c97700d97eb4ed9274f84071f48ab947f297afac6367234995467c0c1b | Triage

Sharing

General

Target

JaffaCakes118_81e404c97700d97eb4ed9274f84071f48ab947f297afac6367234995467c0c1b
Size

76KB
Sample

241225-gd6afszkar
MD5

a524114c369117af161305c725d30005
SHA1

591a8945d2c2bc5a2babf185fd3d9b7cccc7ea1f
SHA256

81e404c97700d97eb4ed9274f84071f48ab947f297afac6367234995467c0c1b
SHA512

4901d5f48dbb08667b8357099cd5f477d57c7c26297a67beff16591a88689f2a822bee845eab7be540c9d5cc6a4abd92723a586a2af4dc96e31e8954a3f08e6a
SSDEEP

384:U1rdNm05MJQo0UtDsIU0dUgpZENMsfyW2vJuxqge:U1JNm05orVSY3MynJuEge

Score

10^/10

vjw0rm execution persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://dbmne20.duckdns.org:8832

Targets

- Target
  
  JaffaCakes118_81e404c97700d97eb4ed9274f84071f48ab947f297afac6367234995467c0c1b
- Size
  
  76KB
- MD5
  
  a524114c369117af161305c725d30005
- SHA1
  
  591a8945d2c2bc5a2babf185fd3d9b7cccc7ea1f
- SHA256
  
  81e404c97700d97eb4ed9274f84071f48ab947f297afac6367234995467c0c1b
- SHA512
  
  4901d5f48dbb08667b8357099cd5f477d57c7c26297a67beff16591a88689f2a822bee845eab7be540c9d5cc6a4abd92723a586a2af4dc96e31e8954a3f08e6a
- SSDEEP
  
  384:U1rdNm05MJQo0UtDsIU0dUgpZENMsfyW2vJuxqge:U1JNm05orVSY3MynJuEge
Score

3^/10
behavioral1 behavioral2
- Target
  
  HB00UN_Copy.js
- Size
  
  14KB
- MD5
  
  4abaff06af02cab33d67aa79028cd546
- SHA1
  
  f3831e4dd7f55fea6f093900a50e11cc311bb3df
- SHA256
  
  39a2889a8f27f0c875f04ac82ebefb26247e41f88c5b2824f649748901ae3a6a
- SHA512
  
  0f8afa70dc5a7838f6d7359f6cdad354fc1a2e9ec1072e47a39c336712e738ca0c6495598d6fdf00c76378b8cc2ae6068b00ece64d3bcdeec94533f017acc66a
- SSDEEP
  
  384:mrdNm05MJQo0UtDsIU0dUgpZENMsfyW2vJuxqgeh:mJNm05orVSY3MynJuEgeh
Score

10^/10

vjw0rm execution persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Vjw0rm family
  vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

vjw0rmexecutionpersistencetrojanworm

behavioral4

vjw0rmexecutionpersistencetrojanworm