General

  • Target

    QROSLK40MKSD.js

  • Size

    9KB

  • Sample

    211210-kdkkjafgh8

  • MD5

    efe7b98b685c2f180c40198cc93550a6

  • SHA1

    6990454c9d338a50fbb443990a766d211e76e2f2

  • SHA256

    0960069e6f40570d52fcc5293d08cf6c75f01c04f11d35551858a587dc78a856

  • SHA512

    10e2702040a1d89b2c3caaafc6d3ea98e26bc7936283a3c1eb3049579cf39740a55d54fc4c88d0430664b1301347c9f1f1e76a29b768dfe765f732b7cab87dbd

Malware Config

Extracted

Family

vjw0rm

C2

http://wormmondg.duckdns.org:9034

Targets

    • Target

      QROSLK40MKSD.js

    • Size

      9KB

    • MD5

      efe7b98b685c2f180c40198cc93550a6

    • SHA1

      6990454c9d338a50fbb443990a766d211e76e2f2

    • SHA256

      0960069e6f40570d52fcc5293d08cf6c75f01c04f11d35551858a587dc78a856

    • SHA512

      10e2702040a1d89b2c3caaafc6d3ea98e26bc7936283a3c1eb3049579cf39740a55d54fc4c88d0430664b1301347c9f1f1e76a29b768dfe765f732b7cab87dbd

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks