# Vjw0rm Worm/RAT ### Prepared by: LIFARS, LLC Date: 09/02/2021 ----- ## EXECUTIVE SUMMARY Vjw0rm is a worm that usually spreads via USB drives. It's also classified as a RAT because it executes commands received from the C2 server. This malware achieves persistence using a Registry Run key and by copying itself to the Startup folder. ## ANALYSIS AND FINDINGS We will analyze a Javascript file called 45678-INVOICE.js, which can be downloaded from https://app.any.run/tasks/6a900492-4f4b-42a2-ab80-7f5a7262458b/. This is a hybrid worm/RAT called Vjw0rm. JSTool is a Notepad++ plugin that is used to display the code in JavaScript format: ###### Figure 1 ----- In order to debug the code, we can add “ ” at the end of the file and save the file in the html format. We’ll use the Developer Tools from Internet Explorer and the “debugger” statement, which stops the execution of the JavaScript and calls the debugging function (note a long string that seems to be base64-encoded): ###### Figure 2 ##### Figure 3 ----- Internet Explorer does its job and displays a warning message. One of the methods to analyze Javascript files consists of replacing the eval function with document.write (write a string to a document stream) because this way we can see what code would be executed. After performing the transformation, we can open the html file again using Internet Explorer: ###### Figure 4 The malware replaced “@!” from the long string that we’ve seen with “m”, as displayed in the figure below: ###### Figure 5 The script decodes the long string using Base64 and executes it. We can use CyberChef (https://gchq.github.io/CyberChef/) to perform this operation and save the new script as 45678INVOICE_Layer2.js: ###### Figure 6 As in the first script, the 2[nd] one decodes a base64-encoded string and then saves it as a js file called “laeapoOSVO.js” in the %AppData% directory. The malware executes the newly created file, as shown in figure 7 (we’ll come back to this file in a few paragraphs). ----- ###### Figure 7 The process verifies if the registry key called “HKCU\vjw0rm” exists, which indicates that the host has already been infected with this RAT. If there is no such key, it is created and populated with “TRUE” or “FALSE” depending on the result of a comparison: ###### Figure 8 The malware performs a POST request to “http[:]//194.5.97.156:7657/Vre” with a custom user agent. The response from the C2 server is saved for later use: ----- ###### Figure 9 The user agent from above contains a lot of information about the local host, such as computer name, user name, caption property that contains the OS version, antivirus software installed on the machine, a value which denotes if the .NET VBC (Visual Basic Compiler) v.2.0.50727 is installed on the host and the value of the registry key “HKCU\vjw0rm”, as shown in the next pictures: ###### Figure 10 ##### Figure 11 ----- The response from the C2 server has the following structure: “Command|V|Script|V|Filename”. The following commands are implemented: “Cl”, “Sc”, “Ex”, “Rn”, “Up”, “Un” and “RF”, as shown in figure 12: ###### Figure 12 ----- Cl command - exit the script Sc command - create a temporary file called “Filename” (provided by the C2 server) - populate the new file with malicious payload sent by the server - execute the malicious file Ex command - execute additional JS code provided by the C2 server Rn command - open and read the current file - replace “SUCCESS” with a parameter received from the C2 server - save and execute the script using wscript.exe Up command - create a temporary file called “Filename” (provided by the C2 server) - modify the payload received from the server by replacing “|U|” with “|V|” - write the modified payload to the newly created file - execute the script using wscript.exe Un command - execute additional code received from the C2 server - F-Secure reported at https://www.f-secure.com/v-descs/worm_js_vjw0rm.shtml that this command is used to uninstall the worm module RF command - create a temporary file called “Filename” (provided by the C2 server) - populate the new file with malicious payload sent by the server - execute the malicious file For our analysis, we renamed the “laeapoOSVO.js” file as “45678-INVOICE_Layer3.js”. This code is similar to the first script, however, there are a few differences. A snippet of the 3[rd] script is displayed in figure 13. ----- ###### Figure 13 We apply the same transformation for the base64-encoded string as in the first case (“@!” is replaced with “m”). CyberChef is utilized to decode the string and the result is saved as 45678-INVOICE_Layer4.js: ----- ###### Figure 14 This script is similar to the Layer2 file, however the C2 server changes to http[:]//myroyailrubin2019.duia.ro:5000 (figure 15). The same commands as before are implemented by this script. ###### Figure 15 ----- The script establishes persistence by creating a Run registry key called “SEJOKAOI5S” and by copying itself to the Startup folder, as displayed in figure 16. ###### Figure 16 ### Indicators of Compromise C2 domains: - http[:]//194.5.97.156:7657 - http[:]//myroyailrubin2019.duia.ro:5000 -----