Overview

overview

10

Static

static

GKOPEWRYU.js

windows7_x64

10

GKOPEWRYU.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    #00771.zip

  • Size

    23KB

  • Sample

    211220-wjky2abde2

  • MD5

    1da38cd2e3743864d0634afeaa82c714

  • SHA1

    08f8a82df86c11fc0cf72e65d31f27424de000e2

  • SHA256

    ec638aada9c69c74a1a0e31144c36d9a759f045c6ce90eb8b09a5f7644fb4957

  • SHA512

    8e4c9bdd29c6733fcd97ffdd8519fcae1b842a8a34a25f997328791e0fad9293a9d7ae9d25e2c3a0b3c10657413165bc4bd82d87fb1e16e9799a470c7b166d8b

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://moneyworm.duckdns.org:8756

Targets

    • Target

      GKOPEWRYU.js

    • Size

      61KB

    • MD5

      6c65767545d7ad14fa6f2aa28fdd37e1

    • SHA1

      7a31fc2c58c387e538b8d2c6e288cfacee899ea2

    • SHA256

      4659be2ae1f69a483f84a858f35ab0b184031a1dbdccfb8b89decaa75004f249

    • SHA512

      73161f26b1cbd297c89a7b9811837b3bae6a44bf022aadd94ec1c57daddc2092c43809b002e4aab2cd59ecd2cb8ad106ede24d459be2831bf38537c6b8396ea8

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks