General
-
Target
PDF21379812806421.js
-
Size
183.0MB
-
Sample
230905-s4bpbagh33
-
MD5
0b6cdf3f04431c595c737e6d90096f5c
-
SHA1
db4741d75bee2dba0a10f9fa6ee18e1e3d11a6aa
-
SHA256
c00e4a30f60cfc50dc0f94faf31f12281aff02bba1bf28ef302ec9f34115997d
-
SHA512
8139ad0e59211b7fb79005ecbaeb9dc9364b7448445de5ad0f94230cb23fe142de75facb5693473a9da0b7ead536d68fee6cde906ac72ef281a9a4130bd29b89
-
SSDEEP
96:3ZH1uyMXIJoC2lcJc9lidMcbz2S2ZFhEUWqO7QyL6c/PTRZ9m/PTQaiPaRU8NRr0:3ZVhls82S2ZF6v7QI6cFXmsCU8NRrF
Malware Config
Extracted
vjw0rm
http://thicksaver.duckdns.org:1120
Targets
-
-
Target
PDF21379812806421.js
-
Size
183.0MB
-
MD5
0b6cdf3f04431c595c737e6d90096f5c
-
SHA1
db4741d75bee2dba0a10f9fa6ee18e1e3d11a6aa
-
SHA256
c00e4a30f60cfc50dc0f94faf31f12281aff02bba1bf28ef302ec9f34115997d
-
SHA512
8139ad0e59211b7fb79005ecbaeb9dc9364b7448445de5ad0f94230cb23fe142de75facb5693473a9da0b7ead536d68fee6cde906ac72ef281a9a4130bd29b89
-
SSDEEP
96:3ZH1uyMXIJoC2lcJc9lidMcbz2S2ZFhEUWqO7QyL6c/PTRZ9m/PTQaiPaRU8NRr0:3ZVhls82S2ZF6v7QI6cFXmsCU8NRrF
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1