Overview

overview

10

Static

static

receipt.js

windows7_x64

10

receipt.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    receipt.js

  • Size

    66KB

  • Sample

    220311-v8ww6adfaq

  • MD5

    97dca8a40e40a71719b53c1f2d1aa1ef

  • SHA1

    1527242f0615a962d4987aa4a5f3f3c356579196

  • SHA256

    3be7dd44f3dd4e96f34da6bfec722fdeb5f1c7220bc11bb709825a07e6294c6e

  • SHA512

    9fd75526f17448b01f45f60842bfb060a797507adad20b0d2f5dd162e1a6a37949a43b89fdbddedf91c2db9f8c3e9f2dfe08dd35971bedc7e26fd05dfbdf3f6e

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9998

Targets

    • Target

      receipt.js

    • Size

      66KB

    • MD5

      97dca8a40e40a71719b53c1f2d1aa1ef

    • SHA1

      1527242f0615a962d4987aa4a5f3f3c356579196

    • SHA256

      3be7dd44f3dd4e96f34da6bfec722fdeb5f1c7220bc11bb709825a07e6294c6e

    • SHA512

      9fd75526f17448b01f45f60842bfb060a797507adad20b0d2f5dd162e1a6a37949a43b89fdbddedf91c2db9f8c3e9f2dfe08dd35971bedc7e26fd05dfbdf3f6e

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks