General

  • Target

    QWUOPNSFGA802NM.js

  • Size

    72KB

  • Sample

    211209-tfm8waced6

  • MD5

    91f6af74d269b8020d582cb41392ac11

  • SHA1

    9c03d6159f46325a57c6888109cbd9ef6c7e0139

  • SHA256

    126a1a59ccf49cb5c09e69f8588ece339dece436be5af14de462c871ec1fe83b

  • SHA512

    c1446ce741756341d045b57d49347e4dbaa92e77640e554eab0a184a342ae9d5af7a2584d2907bf909fce6ff9a14a5568f01cbc6df305c5f76753565ddd2b0df

Malware Config

Extracted

Family

vjw0rm

C2

http://wormmondg.duckdns.org:9034

Targets

    • Target

      QWUOPNSFGA802NM.js

    • Size

      72KB

    • MD5

      91f6af74d269b8020d582cb41392ac11

    • SHA1

      9c03d6159f46325a57c6888109cbd9ef6c7e0139

    • SHA256

      126a1a59ccf49cb5c09e69f8588ece339dece436be5af14de462c871ec1fe83b

    • SHA512

      c1446ce741756341d045b57d49347e4dbaa92e77640e554eab0a184a342ae9d5af7a2584d2907bf909fce6ff9a14a5568f01cbc6df305c5f76753565ddd2b0df

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks