Overview

overview

10

Static

static

ADP_INV_.js

windows7_x64

10

ADP_INV_.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6cd17b20fb0a6919e6b441904e5c92c326a44c2d05c65e4f2929f67172deceb6

  • Size

    1.2MB

  • Sample

    220206-s8elrsbdc5

  • MD5

    f42606ebb28ce568386f96f29342f62f

  • SHA1

    8f23c505177063ade623a482c96efe4633dfa69a

  • SHA256

    6cd17b20fb0a6919e6b441904e5c92c326a44c2d05c65e4f2929f67172deceb6

  • SHA512

    c5360cd7470891db65d31b7f1f08bfe5405907a8bfe0a47e1d8b655f24c61353c6737f5b5170c9df6fca3a77da3e686e2d052724992125600aa9f2348dae3e67

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Targets

    • Target

      ADP_INV_.JS

    • Size

      3KB

    • MD5

      84ff68b6acab9e2fcdc86c042be45439

    • SHA1

      dff73b1866bcb0d42aca4bbf89bb6a909fa8b086

    • SHA256

      5f05557ff4babe05f0d4842de6a67eb3e951af6c42a27b7fa9663b7ad18e5aba

    • SHA512

      d5b57189a3a108774982d18b86f8c3f7ed510b7595d31cd8e268a0804f7c903a76143d970e9df77235760cefe75ef9ac94594bffb7c07d19b50c5af2dcb63651

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks