Overview

overview

10

Static

static

INV__904.js

windows7_x64

10

INV__904.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c9773c0e6400723de53caa5fa8688975700ad7e6401630c202174e0014b57e58

  • Size

    1.2MB

  • Sample

    220206-jl4spsggaj

  • MD5

    c43168b1b2dd02c6f36195f78ff2965d

  • SHA1

    492465ca494a1432fc6ab143ccc61dcca5b1bf46

  • SHA256

    c9773c0e6400723de53caa5fa8688975700ad7e6401630c202174e0014b57e58

  • SHA512

    63afba2ddd7779544ec118c8c1a2338ba116b8691f2911c34a0d1509aff072e5ac6efeba536918ef61eb5d46c4725023278ccd3391890242966edf0fad4b220f

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Targets

    • Target

      INV__904.JS

    • Size

      3KB

    • MD5

      bd2ef974ff2ac7645c9c1249c6f09c67

    • SHA1

      2f91d738794f8dc4e18e61d2ebd138e9cee26118

    • SHA256

      999b0576efee65a6c79f2fdc6e6f0d3aca3965d9e3f6193d88d452a5f507fc4e

    • SHA512

      65d7b23e6b0d99c73b6a0b8588c15c84ecfd3a5e2aa6e6cbeb4e2204479881b9587cc5dd84d097a1a4a95182fc83c0e41ab4683bab1783af6528e78eb7946303

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks