General

  • Target

    TWR200719A.iso

  • Size

    70KB

  • Sample

    210921-w27whschbp

  • MD5

    b2fe1194210020c5e1b832ea2f89eb85

  • SHA1

    f1f6cdf67e1dba06be66ea31879b27d1bfe3d7ae

  • SHA256

    25b85c37e7a41e70b38eaedb06bc1eaafe8bbce4f9db25353c05716b1a77d8e6

  • SHA512

    b51d7df1aef020a541884550d058f7f5d6dd2792937ebf2bb4d9ac547f78d9d72afb602e1e1f8f20ec31c77f6625207aff6448ae81309fda3445207f714b9ea7

Malware Config

Targets

    • Target

      TWR200719A.js

    • Size

      9KB

    • MD5

      3787cf61efad8ad8206ecf4646591523

    • SHA1

      a4f5b2f8d95daf74ebb7fd69daa9db8d664d3d42

    • SHA256

      d6c370036f27ac2a4b7a3c03dab8cba588d665197ba22391bb7ce8d049948d31

    • SHA512

      d0f9885a76ced02d7d5b9b2a1ea4ee0cf9b9e3f178bf8495dae31c5adeb79818a00548eab73c4fe78b40468ad8bd75c13305e42b3aa8bf28c68356e3b4b9f27b

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks