General

  • Target

    IMG-02200001.js

  • Size

    14KB

  • Sample

    221005-l6smaaeab7

  • MD5

    abe454ff73cc47686a8dc9a80d42b764

  • SHA1

    a2b1ec806ab1d131aaa736bd6f8825f9bd8e303c

  • SHA256

    7fb2e5a6bc97c04d0fab46503ebd49d6b809e04506c06734c9c1e8584059b6a9

  • SHA512

    3fda2a1c37880ccfde59c7dc6e94938e51ac3e83b7c79c3a166173318178714ed195b54bc8f66d5a56cda89d23ccc9a958a9dcc0f7f1ef49c00ec3fed1c11330

  • SSDEEP

    384:8EVAFXOaE6YD+f0UELie88fbKbPySqewMtYevFSr7:8EKFXOvYMWXZbPVqRuSr7

Malware Config

Extracted

Family

vjw0rm

C2

http://severdops.ddns.net:5050

Targets

    • Target

      IMG-02200001.js

    • Size

      14KB

    • MD5

      abe454ff73cc47686a8dc9a80d42b764

    • SHA1

      a2b1ec806ab1d131aaa736bd6f8825f9bd8e303c

    • SHA256

      7fb2e5a6bc97c04d0fab46503ebd49d6b809e04506c06734c9c1e8584059b6a9

    • SHA512

      3fda2a1c37880ccfde59c7dc6e94938e51ac3e83b7c79c3a166173318178714ed195b54bc8f66d5a56cda89d23ccc9a958a9dcc0f7f1ef49c00ec3fed1c11330

    • SSDEEP

      384:8EVAFXOaE6YD+f0UELie88fbKbPySqewMtYevFSr7:8EKFXOvYMWXZbPVqRuSr7

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks