General

  • Target

    Request Quote PDF.js

  • Size

    16KB

  • Sample

    220914-p6b63sadb4

  • MD5

    5d2bc7c7f4fb2369606b9f5bbe76da8b

  • SHA1

    2cb855d4865629183046d76a79b44ab8356733a2

  • SHA256

    ed3549842feb834b1eb463394cf741a62c1f9ffcf119b6d0ddaa12d195550b70

  • SHA512

    3b1ff6df6dec0fc10412b7e71d8431aedcc419fa627c6ee864d7eb9291fd2366f0faace39470f5246e749010953c53ed7e2ca635e98f34e07c4b96d95864ae47

  • SSDEEP

    384:N9/ORKt8Mv1LwHOSHLgJlSvFXeRRyT6JUq0PL0y:NwEdLegsFkRyToUq0PL0y

Malware Config

Extracted

Family

vjw0rm

C2

http://185.216.71.251:7575

Targets

    • Target

      Request Quote PDF.js

    • Size

      16KB

    • MD5

      5d2bc7c7f4fb2369606b9f5bbe76da8b

    • SHA1

      2cb855d4865629183046d76a79b44ab8356733a2

    • SHA256

      ed3549842feb834b1eb463394cf741a62c1f9ffcf119b6d0ddaa12d195550b70

    • SHA512

      3b1ff6df6dec0fc10412b7e71d8431aedcc419fa627c6ee864d7eb9291fd2366f0faace39470f5246e749010953c53ed7e2ca635e98f34e07c4b96d95864ae47

    • SSDEEP

      384:N9/ORKt8Mv1LwHOSHLgJlSvFXeRRyT6JUq0PL0y:NwEdLegsFkRyToUq0PL0y

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks