General

  • Target

    Open Invoices20220919.js

  • Size

    15KB

  • Sample

    220921-cszzrsadcr

  • MD5

    a4b325700f220d567a162da58d4caaea

  • SHA1

    38e6ab4d7c9496336b0d05db64bc1d04aa8772d0

  • SHA256

    acd2a7accac4547cdb44f41cddea4bdf65b63469cffa10dcbdea9d6d3e83c6ee

  • SHA512

    9dfd486b4a5fc50531601c115a9636cb892da21ccfed9619c043eb9c5069c4e298519c4f950644a8f99303cdda7c6d960ff0d289625d73271c093f888ecee181

  • SSDEEP

    192:FPv7CWP433c4+jRYNlgXoLYueZ58NkveY1LwHGkiXJzFQkkLeDkvuXM8V5ihXfI9:lLElgXWeZn1LwHYQIDkv19fI4hFlqMy

Malware Config

Extracted

Family

vjw0rm

C2

http://alukoren.duckdns.org:9144

Targets

    • Target

      Open Invoices20220919.js

    • Size

      15KB

    • MD5

      a4b325700f220d567a162da58d4caaea

    • SHA1

      38e6ab4d7c9496336b0d05db64bc1d04aa8772d0

    • SHA256

      acd2a7accac4547cdb44f41cddea4bdf65b63469cffa10dcbdea9d6d3e83c6ee

    • SHA512

      9dfd486b4a5fc50531601c115a9636cb892da21ccfed9619c043eb9c5069c4e298519c4f950644a8f99303cdda7c6d960ff0d289625d73271c093f888ecee181

    • SSDEEP

      192:FPv7CWP433c4+jRYNlgXoLYueZ58NkveY1LwHGkiXJzFQkkLeDkvuXM8V5ihXfI9:lLElgXWeZn1LwHYQIDkv19fI4hFlqMy

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks