Overview

overview

10

Static

static

MgBMOjoQWC_hwstub.js

windows7_x64

10

MgBMOjoQWC_hwstub.js

windows10-2004_x64

10

bJHtVihBXX...ver.js

windows7_x64

10

bJHtVihBXX...ver.js

windows10-2004_x64

10

sYCuOOjDOl_vjstub.js

windows7_x64

10

sYCuOOjDOl_vjstub.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    njrat-vjworm.zip

  • Size

    69KB

  • Sample

    220620-j5j8eadfg4

  • MD5

    278adf946df04cf2961e546bbba79a9f

  • SHA1

    553ca5de6c986313c05867b04ab755af28bf503e

  • SHA256

    6eacb035edac06e5cefb1e070b3ed350b0c33090f48ba4e34fd920454eb61729

  • SHA512

    aa798a4b98a25b66bb7eb7cb75779455110b0d6519c50a3f188563b3e697d6daf888198bb4bdc26b29dcd02c561736b142ff2cac18bf03edebec0774b5a05289

Score
10/10
njratvjw0rmhacked by mustymoneyevasionpersistencetrojanworm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MustyMoney

C2

104.168.7.110:5552

Mutex

72f64d4ec723544c65ffca1cd7ba4ee6

Attributes
  • reg_key

    72f64d4ec723544c65ffca1cd7ba4ee6

  • splitter

    |'|'|

Targets

    • Target

      MgBMOjoQWC_hwstub.js

    • Size

      51KB

    • MD5

      0c7657296a9994e6446ff500bc1b76c3

    • SHA1

      bfdc4584c89faa7f3356549494331ccc8497ab33

    • SHA256

      692a8be00d69e5d0782766f270046aa871fea041e63d125da9e1252b135623f3

    • SHA512

      8549c221d3316d3a57feb5c4bdca51ae504f5479e22b83150a9eca82fb0b5f8ef8b2aa134d2b96c5bef42a170cc7c4dc8099606f71fabcd490732f7b8926213d

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      bJHtVihBXX_acserver.js

    • Size

      70KB

    • MD5

      3fb233467088b6906ae7ea8002352e86

    • SHA1

      7f318b6db9a28e39bd0162945295f787956eba61

    • SHA256

      db2525eb120cddd924084eb2d3adada700a65066f46f6c3675e47377ef09ee20

    • SHA512

      e36763c44d0c1e46a986299e3499d476e6e920e8c6d8e704c832457d0ff7725dfa3f29944025a3c9b4205234e285bfdbb69c281f22e1945bcda6094488824cd2

    Score
    10/10
    njratvjw0rmhacked by mustymoneyevasionpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      sYCuOOjDOl_vjstub.js

    • Size

      29KB

    • MD5

      dac9ed798f79a40ef59756c710f61593

    • SHA1

      199bfa38a09181e9396cef4d3b29b0762c5ba987

    • SHA256

      94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160

    • SHA512

      ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

MITRE ATT&CK Enterprise v6

Tasks