General

  • Target

    eReceipt#014.js

  • Size

    20KB

  • Sample

    220915-je9qdagaaq

  • MD5

    ac17266a6f4e034d8222cc8c73ecfe92

  • SHA1

    f1a2435452ce47652920397f7b18e8ee38220104

  • SHA256

    bca855ddcab9af931ca78d15815b429010f28d8dcda8f8284bc3cc3a335b0434

  • SHA512

    ea0815b12587ae8f9ba6033b652111153be7e08ed0bacb71a247174cb7e3058aa23f04c27fb87baecd4217aaa475bd34fa2d957027bdd33cd5d2bc47d3813623

  • SSDEEP

    384:ppph5Bjxjn/Has3HqdnoUgnziMjMOq4iW7TcIFW3Acr1sqBxk:ppph5BjxjfaHdnoziOqoa1sqBxk

Malware Config

Extracted

Family

vjw0rm

C2

http://zeegod.duckdns.org:9004

Targets

    • Target

      eReceipt#014.js

    • Size

      20KB

    • MD5

      ac17266a6f4e034d8222cc8c73ecfe92

    • SHA1

      f1a2435452ce47652920397f7b18e8ee38220104

    • SHA256

      bca855ddcab9af931ca78d15815b429010f28d8dcda8f8284bc3cc3a335b0434

    • SHA512

      ea0815b12587ae8f9ba6033b652111153be7e08ed0bacb71a247174cb7e3058aa23f04c27fb87baecd4217aaa475bd34fa2d957027bdd33cd5d2bc47d3813623

    • SSDEEP

      384:ppph5Bjxjn/Has3HqdnoUgnziMjMOq4iW7TcIFW3Acr1sqBxk:ppph5BjxjfaHdnoziOqoa1sqBxk

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks