General

  • Target

    Payments 0922.js

  • Size

    45KB

  • Sample

    220928-t3n4pahffl

  • MD5

    97ef90d95ffd99599738b53f474933e5

  • SHA1

    250d715f55cefc63dd208fe98871e41598577dcf

  • SHA256

    9187ffcbcc9c534c0c6af5174f842dea862e9f2609bcd35f7e83d05b05ee827e

  • SHA512

    4b73002ca99afa17d0de40914852ece2c057b758cd02ecd5e38aeedaab328bfa57a39036a6d5bdd097a9ff1f0eedb76c0a875b8269f1ce263a33ca84509d9ed0

  • SSDEEP

    768:dfufjgN2aDvXmoy7bXjG7eK4dSbup/RpHoxFCuNdcir/JsXtk6+yZk0Sas0YcE:dfufjgMaaT7bTG6Abup/HHox8cdcir/p

Malware Config

Targets

    • Target

      Payments 0922.js

    • Size

      45KB

    • MD5

      97ef90d95ffd99599738b53f474933e5

    • SHA1

      250d715f55cefc63dd208fe98871e41598577dcf

    • SHA256

      9187ffcbcc9c534c0c6af5174f842dea862e9f2609bcd35f7e83d05b05ee827e

    • SHA512

      4b73002ca99afa17d0de40914852ece2c057b758cd02ecd5e38aeedaab328bfa57a39036a6d5bdd097a9ff1f0eedb76c0a875b8269f1ce263a33ca84509d9ed0

    • SSDEEP

      768:dfufjgN2aDvXmoy7bXjG7eK4dSbup/RpHoxFCuNdcir/JsXtk6+yZk0Sas0YcE:dfufjgMaaT7bTG6Abup/HHox8cdcir/p

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks