General

  • Target

    #UOO991.js

  • Size

    9KB

  • Sample

    211208-s5yv8sgbd9

  • MD5

    5513419842fc60ab5cfa771672575ad3

  • SHA1

    32f8cfa4af614c3eb38898ed33cdb3d2e403ae3e

  • SHA256

    24965c8f04697a180e542d601f1d7a4f2d8efed7848d322ddc0d62fbf29c3a59

  • SHA512

    46bb3191e3d790c31ee5ef1dd00e3e877b58afc6e5f0706d135f0a70941595d66b56fc73489fa7e336795541c7484da4cb03289fe317cc323e5b4b1fa3a91bce

Malware Config

Extracted

Family

vjw0rm

C2

http://warmmoney.duckdns.org:7907

Targets

    • Target

      #UOO991.js

    • Size

      9KB

    • MD5

      5513419842fc60ab5cfa771672575ad3

    • SHA1

      32f8cfa4af614c3eb38898ed33cdb3d2e403ae3e

    • SHA256

      24965c8f04697a180e542d601f1d7a4f2d8efed7848d322ddc0d62fbf29c3a59

    • SHA512

      46bb3191e3d790c31ee5ef1dd00e3e877b58afc6e5f0706d135f0a70941595d66b56fc73489fa7e336795541c7484da4cb03289fe317cc323e5b4b1fa3a91bce

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks