General

  • Target

    YHmwWCgLmi_ned7070vjw0m.js

  • Size

    29KB

  • Sample

    220814-ha681sahem

  • MD5

    30720b7ad3c7fa1d5f9a340cf9fc7da9

  • SHA1

    ae527e77ef30449fdc878eb7e5186e9829f725de

  • SHA256

    d84f36f37d7cb70295af9029b5ca638acf0b07c8e5333802db37989adaffbb22

  • SHA512

    bcbfc7561c3008a10d076f646bee83c16137d269196856b0be2d4e4e059815c2d584a189cbfe6c1999a23c79a19a15807039b33321986173c073ddc48bf3b9ee

Malware Config

Extracted

Family

vjw0rm

C2

http://185.157.162.75:7070

Targets

    • Target

      YHmwWCgLmi_ned7070vjw0m.js

    • Size

      29KB

    • MD5

      30720b7ad3c7fa1d5f9a340cf9fc7da9

    • SHA1

      ae527e77ef30449fdc878eb7e5186e9829f725de

    • SHA256

      d84f36f37d7cb70295af9029b5ca638acf0b07c8e5333802db37989adaffbb22

    • SHA512

      bcbfc7561c3008a10d076f646bee83c16137d269196856b0be2d4e4e059815c2d584a189cbfe6c1999a23c79a19a15807039b33321986173c073ddc48bf3b9ee

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks