LIFARS Vjw0rm - Case Study Whitepaper Vjw0rm Worm/RAT Prepared by: LIFARS, LLC Date: 09/02/2021 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 2 EXECUTIVE SUMMARY Vjw0rm is a worm that usually spreads via USB drives. It's also classified as a RAT because it executes commands received from the C2 server. This malware achieves persistence using a Registry Run key and by copying itself to the Startup folder. We will analyze a Javascript file called 45678-INVOICE.js, which can be downloaded from https://app.any.run/tasks/6a900492-4f4b-42a2-ab80-7f5a7262458b/. This is a hybrid worm/RAT called Vjw0rm. JSTool is a Notepad++ plugin that is used to display the code in JavaScript format: Figure 1 ANALYSIS AND FINDINGS 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 3 In order to debug the code, we can add “ ” at the end of the file and save the file in the html format. We’ll use the Developer Tools from Internet Explorer and the “debugger” statement, which stops the execution of the JavaScript and calls the debugging function (note a long string that seems to be base64-encoded): Figure 3 Figure 2 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 4 Internet Explorer does its job and displays a warning message. One of the methods to analyze Javascript files consists of replacing the eval function with document.write (write a string to a document stream) because this way we can see what code would be executed. After performing the transformation, we can open the html file again using Internet Explorer: The malware replaced “@!” from the long string that we’ve seen with “m”, as displayed in the figure below: The script decodes the long string using Base64 and executes it. We can use CyberChef (https://gchq.github.io/CyberChef/) to perform this operation and save the new script as 45678- INVOICE_Layer2.js: As in the first script, the 2nd one decodes a base64-encoded string and then saves it as a js file called “laeapoOSVO.js” in the %AppData% directory. The malware executes the newly created file, as shown in figure 7 (we’ll come back to this file in a few paragraphs). Figure 4 Figure 5 Figure 6 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 5 The process verifies if the registry key called “HKCU\vjw0rm” exists, which indicates that the host has already been infected with this RAT. If there is no such key, it is created and populated with “TRUE” or “FALSE” depending on the result of a comparison: The malware performs a POST request to “http[:]//194.5.97.156:7657/Vre” with a custom user agent. The response from the C2 server is saved for later use: Figure 7 Figure 8 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 6 The user agent from above contains a lot of information about the local host, such as computer name, user name, caption property that contains the OS version, antivirus software installed on the machine, a value which denotes if the .NET VBC (Visual Basic Compiler) v.2.0.50727 is installed on the host and the value of the registry key “HKCU\vjw0rm”, as shown in the next pictures: Figure 11 Figure 9 Figure 10 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 7 The response from the C2 server has the following structure: “Command|V|Script|V|Filename”. The following commands are implemented: “Cl”, “Sc”, “Ex”, “Rn”, “Up”, “Un” and “RF”, as shown in figure 12: Figure 12 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 8 Cl command • exit the script Sc command • create a temporary file called “Filename” (provided by the C2 server) • populate the new file with malicious payload sent by the server • execute the malicious file Ex command • execute additional JS code provided by the C2 server Rn command • open and read the current file • replace “SUCCESS” with a parameter received from the C2 server • save and execute the script using wscript.exe Up command • create a temporary file called “Filename” (provided by the C2 server) • modify the payload received from the server by replacing “|U|” with “|V|” • write the modified payload to the newly created file • execute the script using wscript.exe Un command • execute additional code received from the C2 server • F-Secure reported at https://www.f-secure.com/v-descs/worm_js_vjw0rm.shtml that this command is used to uninstall the worm module RF command • create a temporary file called “Filename” (provided by the C2 server) • populate the new file with malicious payload sent by the server • execute the malicious file For our analysis, we renamed the “laeapoOSVO.js” file as “45678-INVOICE_Layer3.js”. This code is similar to the first script, however, there are a few differences. A snippet of the 3rd script is displayed in figure 13. 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 9 We apply the same transformation for the base64-encoded string as in the first case (“@!” is replaced with “m”). CyberChef is utilized to decode the string and the result is saved as 45678-INVOICE_Layer4.js: Figure 13 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 10 This script is similar to the Layer2 file, however the C2 server changes to http[:]//myroyailrubin2019.duia.ro:5000 (figure 15). The same commands as before are implemented by this script. Figure 14 Figure 15 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 info@lifars.com 11 The script establishes persistence by creating a Run registry key called “SEJOKAOI5S” and by copying itself to the Startup folder, as displayed in figure 16. Indicators of Compromise C2 domains: - http[:]//194.5.97.156:7657 - http[:]//myroyailrubin2019.duia.ro:5000 Figure 16