Vjw0rm
Sample Url: https://bazaar.abuse.ch/
We start with a js file the file is obfuscated as shown in the image and at the end is some data that looks like base64 encoded but if you try to decode it directly it will fail.
Image 1
After using de4js to deobfuscate the script and follow looking at its logic it appears to replace each match of ><
on the suspicious base46 with A
the decode it.
Image 2
and the decoded payload reveals another js script
Image 3
This script will write a new js
file at the%APPDATA%/spHAeMTgHF.js
and run it the content of the file is the result of decoding base64 data. And will create a new vbs
file at %TMP%/ejike.vbs
and run it the content of the file is the result of decoding base64 data.
I will start with the js
file it is obfuscated as the first file so by replacing ><
with A
and base64 decode we found another js
script The new script includes some weird naming and needs to be analysed
Image 4
Cleaning it a bit and we can find what it does. For presistance it uses registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ\
And it copies itself to the startup folder Another registry that is used by this malware is HKCU\vjw0rm
Then a loop is started to communicate with the C2 in our case it was http://franmhort[.]duia[.]ro
at port 8152
and path Vre/
jvw0rm includes a few commands:
- Cl: terminate the script
- Sc: write file to
%tmp%
dir and run it - Ex: eval JScript
- Rn: overwrite
VN
variable with a new value and re-run the script - Un: it is not clear but appears to do something related to the registry key
YVBPFHTJIQ
could be updated - RF: the same as Cl
Looking at the vbs
file and it appears that this is the worm it will copy itself to startup, temp folders and add itself to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\<script name>
HKEY_LOCAL_MACHINE\software\microsof\windows\currentversion\run\<script name>
then enumerate all files and folders on the system and create a shortcut for them and inject itself to run when each one is used
the worm provides some ready function like a trojan:
- execute: run vbs scripts
- uninstall: remove the worm and reverse all that it did [could be used to build removal script]
- send: download file from c2
- site-send: download file from any site
- recv: upload file to c2
- enum-driver: enumerate drivers
- enum-faf: enumerate folder
- enum-process: enumerate processes
- cmd-shell: start cmd shell
- delete: delete file or folder
- exit-process: terminate process
- sleep: sleep ;)
worm c2:
- host: 194.5.97.7
- port: 4040