General

  • Target

    receipt-ups.js

  • Size

    20KB

  • Sample

    220914-hh3kssdbgp

  • MD5

    90878808fd81b0efad5d81eba547bd71

  • SHA1

    c6aa497f840342726077e9236897500fa61f479d

  • SHA256

    e02d3ad30b7532cf8a6958fb4eda93ba7d1b7f199df58374f5ccc90bb4f7e6b8

  • SHA512

    73056fac39b2ad261002358c9952fe052e2b8bfdc535443f66519b3b80aa6cc2ccb77b10f17cffb0bfb7f84c5b6114c0d2d379c763ee1020880ea8e9083f29b4

  • SSDEEP

    384:ppph5Bjxjn/Has3HadHsUQnzi73MOu4uWDTu4t/38zREKdyak:ppph5BjxjfandHs3bOuYtSREKdNk

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9004

Targets

    • Target

      receipt-ups.js

    • Size

      20KB

    • MD5

      90878808fd81b0efad5d81eba547bd71

    • SHA1

      c6aa497f840342726077e9236897500fa61f479d

    • SHA256

      e02d3ad30b7532cf8a6958fb4eda93ba7d1b7f199df58374f5ccc90bb4f7e6b8

    • SHA512

      73056fac39b2ad261002358c9952fe052e2b8bfdc535443f66519b3b80aa6cc2ccb77b10f17cffb0bfb7f84c5b6114c0d2d379c763ee1020880ea8e9083f29b4

    • SSDEEP

      384:ppph5Bjxjn/Has3HadHsUQnzi73MOu4uWDTu4t/38zREKdyak:ppph5BjxjfandHs3bOuYtSREKdNk

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks