General

  • Target

    4988109_Payment_Invoice_Receipt.js

  • Size

    81KB

  • Sample

    211206-hjmkzagcc4

  • MD5

    f3592ef1ba926bbbe23fd3733d65c4d9

  • SHA1

    d38daa37f82b1da083d88cd5b4d85962b07e1589

  • SHA256

    505998d8cb3f4b56a9551138bac8262da3be7813c05b932ebae7eba9dbadc938

  • SHA512

    638de28505536930c4e78aa3cdfd97cd9580efbfd0bc6b534ab9f715227c563eba6b33068910766253c822c2d799e0ee650426488495274e49377b77e000c14e

Malware Config

Extracted

Family

vjw0rm

C2

http://3000js.duckdns.org:3000

Targets

    • Target

      4988109_Payment_Invoice_Receipt.js

    • Size

      81KB

    • MD5

      f3592ef1ba926bbbe23fd3733d65c4d9

    • SHA1

      d38daa37f82b1da083d88cd5b4d85962b07e1589

    • SHA256

      505998d8cb3f4b56a9551138bac8262da3be7813c05b932ebae7eba9dbadc938

    • SHA512

      638de28505536930c4e78aa3cdfd97cd9580efbfd0bc6b534ab9f715227c563eba6b33068910766253c822c2d799e0ee650426488495274e49377b77e000c14e

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks