General

  • Target

    invoice56373838373.js

  • Size

    5KB

  • Sample

    220929-eqnvtshgb3

  • MD5

    8a941c71c17b535d80120149db8b522a

  • SHA1

    f90e1d61ab7deeeeaf63b814cc60090fa406d503

  • SHA256

    e7d15b4546c61001f0709ebfa4068c45ee5acce06a0ac60c040e46c97b805aa7

  • SHA512

    b631c14f037c0b8cd331780273d6a2761a1ee3d5da8d193d64fd75d4edaebde9e68b30550e3142d41e77aff89f259a3fdf0ae185de33aa2999860e8c315bec1d

  • SSDEEP

    96:SABNo5D/k2c24ZRMHXE6/BI0u+Ys+fJR9kDdQqR7bJyKhB/OS4Uu/ingHXRZfzYF:zSo2c24ZRMlBI6Ys+fJR96fRfqJingHW

Malware Config

Extracted

Family

vjw0rm

C2

http://zlat.duckdns.org:7974

Targets

    • Target

      invoice56373838373.js

    • Size

      5KB

    • MD5

      8a941c71c17b535d80120149db8b522a

    • SHA1

      f90e1d61ab7deeeeaf63b814cc60090fa406d503

    • SHA256

      e7d15b4546c61001f0709ebfa4068c45ee5acce06a0ac60c040e46c97b805aa7

    • SHA512

      b631c14f037c0b8cd331780273d6a2761a1ee3d5da8d193d64fd75d4edaebde9e68b30550e3142d41e77aff89f259a3fdf0ae185de33aa2999860e8c315bec1d

    • SSDEEP

      96:SABNo5D/k2c24ZRMHXE6/BI0u+Ys+fJR9kDdQqR7bJyKhB/OS4Uu/ingHXRZfzYF:zSo2c24ZRMlBI6Ys+fJR96fRfqJingHW

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks