General

  • Target

    insurance.es.js

  • Size

    97KB

  • Sample

    230228-3y6ydadc8t

  • MD5

    42d23b699c6dfbca209876a0f9a92bf9

  • SHA1

    df5f64e32bdc861bf3799dd679356e167fec48fb

  • SHA256

    d844fae5cdc61338bf5ec8f08804c844b50446dbaebf996643227e2c2967283f

  • SHA512

    8734b15942ffc5981d1b7da0d83560f51292cddab496cd62963dc70bdafeccb9a3e3008e452e12872ef443d0711451c22db5ab75390c915febc351b1067b5c53

  • SSDEEP

    192:nluzi75WbAZvu1hdh12cB5kw94tMa3dZYkVdPrv1kHWuuIVLk5/lWWWnazp6Lzj7:cz5KIy24jHuHWZqWWdLHKSq5dWBV

Malware Config

Extracted

Family

vjw0rm

C2

http://198.12.123.17:6040

Targets

    • Target

      insurance.es.js

    • Size

      97KB

    • MD5

      42d23b699c6dfbca209876a0f9a92bf9

    • SHA1

      df5f64e32bdc861bf3799dd679356e167fec48fb

    • SHA256

      d844fae5cdc61338bf5ec8f08804c844b50446dbaebf996643227e2c2967283f

    • SHA512

      8734b15942ffc5981d1b7da0d83560f51292cddab496cd62963dc70bdafeccb9a3e3008e452e12872ef443d0711451c22db5ab75390c915febc351b1067b5c53

    • SSDEEP

      192:nluzi75WbAZvu1hdh12cB5kw94tMa3dZYkVdPrv1kHWuuIVLk5/lWWWnazp6Lzj7:cz5KIy24jHuHWZqWWdLHKSq5dWBV

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks