General
-
Target
eVoucher.js
-
Size
10KB
-
Sample
220322-w6ltvadafl
-
MD5
4a86c0250f53d61920c72434e80ac836
-
SHA1
52d5178d979640301456d353bb1d3a4cd9fe56c8
-
SHA256
2cf7cf0ac77b25eccc61fea38629e1a2de4547aa1d4eaae4f7885fdc0e2194a4
-
SHA512
ddb19e6e340cedd29ea5735caffd7f9e47825c904ce09896d6d6a0680262a371c597ac1e019b55bed12d424c2bc8df5a56940f68edaa3a74e361016abdfc41ad
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9001
Targets
-
-
Target
eVoucher.js
-
Size
10KB
-
MD5
4a86c0250f53d61920c72434e80ac836
-
SHA1
52d5178d979640301456d353bb1d3a4cd9fe56c8
-
SHA256
2cf7cf0ac77b25eccc61fea38629e1a2de4547aa1d4eaae4f7885fdc0e2194a4
-
SHA512
ddb19e6e340cedd29ea5735caffd7f9e47825c904ce09896d6d6a0680262a371c597ac1e019b55bed12d424c2bc8df5a56940f68edaa3a74e361016abdfc41ad
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-