Overview

overview

10

Static

static

TBWK002.js

windows7_x64

10

TBWK002.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TBWK002.js

  • Size

    13KB

  • Sample

    220128-symjmaffgr

  • MD5

    c910f8d83cff9e13f76968bca257e685

  • SHA1

    509830e988ae5282f99eff728039a96434f30a47

  • SHA256

    244aad5b560717a651e3aeef507fe14c778204e586a58c08b6936645aad483c4

  • SHA512

    e4e3ecef3f4cdab3aa2a63a22ccb20b7665807333b166bc8081b3447f7ad8771fbf6c32b8bcd2d46d72db60bdabc348bbe9915799a791e06a9fc952ecc59ea38

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://hopdhosjd.duckdns.org:9035

Targets

    • Target

      TBWK002.js

    • Size

      13KB

    • MD5

      c910f8d83cff9e13f76968bca257e685

    • SHA1

      509830e988ae5282f99eff728039a96434f30a47

    • SHA256

      244aad5b560717a651e3aeef507fe14c778204e586a58c08b6936645aad483c4

    • SHA512

      e4e3ecef3f4cdab3aa2a63a22ccb20b7665807333b166bc8081b3447f7ad8771fbf6c32b8bcd2d46d72db60bdabc348bbe9915799a791e06a9fc952ecc59ea38

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks