General

  • Target

    JUSTIFICANTE PAGO .jar

  • Size

    623KB

  • Sample

    220627-slqeradha5

  • MD5

    8f2e219434282e43f8fa9386081c898b

  • SHA1

    d749418ec454764bf243c73fb28d36a83118cc35

  • SHA256

    8ab87e7fcf49648efa256ca90e9907c46b7c67a46de01630c97477a1b0d0025f

  • SHA512

    bdffa5e00006868e68fc1afae57c26939797b9413b457e0d2f392f0aa72c902c81144bcf4f3645dfaa230fab8cd5c9dec1dd2541ffaab5f9e22aceb69a313533

Malware Config

Targets

    • Target

      JUSTIFICANTE PAGO .jar

    • Size

      623KB

    • MD5

      8f2e219434282e43f8fa9386081c898b

    • SHA1

      d749418ec454764bf243c73fb28d36a83118cc35

    • SHA256

      8ab87e7fcf49648efa256ca90e9907c46b7c67a46de01630c97477a1b0d0025f

    • SHA512

      bdffa5e00006868e68fc1afae57c26939797b9413b457e0d2f392f0aa72c902c81144bcf4f3645dfaa230fab8cd5c9dec1dd2541ffaab5f9e22aceb69a313533

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • UAC bypass

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

4
T1112

Hidden Files and Directories

1
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

1
T1490

Tasks