General

  • Target

    JaffaCakes118_778352e1152d5534284fddae6556738c12657d2efc2417e2baf88ce7aca2bc0a

  • Size

    1.2MB

  • Sample

    241222-hh37bsxqfs

  • MD5

    a180daf95fa8fde0b8ea36bfde33f8cd

  • SHA1

    4fa650b7f1311e3c6f587c0541e69c8a98fd30bb

  • SHA256

    778352e1152d5534284fddae6556738c12657d2efc2417e2baf88ce7aca2bc0a

  • SHA512

    79b9a8252c6576be3e3873d10bba38aa4d0ac9325586c8bc1606fd3c1bd77026d8295733f46179b75ec1ec9093906fc926095011fac3bba4353fed11a91612ab

  • SSDEEP

    768:A+hc043t3q+6g8zOzRO/qe7CQ0RoFDiqHoV/JH:PXr5szRO/qoaRoJi9r

Malware Config

Extracted

Family

vjw0rm

C2

http://dingspread.duckdns.org:6130

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://52.27.15.250/A/behdhdjdj.txt

Targets

    • Target

      WROO1_Invoice_Copy.js

    • Size

      17KB

    • MD5

      d27a6555f01b023f146f6662d01070b3

    • SHA1

      5d8e310ca992ed1c804a6fc54d55acd7a394d46f

    • SHA256

      c40b980e8d0447cc55bffa7c5f5af8f7dba5d3ff411edfc028836c7a631af874

    • SHA512

      3849e8e57b2b478f8e6dcaeb3f1376671774733600c2b1a1cc927800979b2c80e6d8b61748fbfe14b75bfb212712b833c4eddc3e89e24478984063d13c8bf4ac

    • SSDEEP

      384:/cTeWWL43t3q+BCjg52zOzRO/qegMtVcYFt06GohmIlDG3qHoV/JHH:/c043t3q+6g8zOzRO/qe7CQ0RoFDiqHi

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Vjw0rm family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Target

      WROO2_Invoice_Copy.vbs

    • Size

      509B

    • MD5

      ac62735aa02614b0c7fee7df55e0da9b

    • SHA1

      e173edb6949226372dd3eedc47d9369b26ee5577

    • SHA256

      48951f6847400dd39cba2f5ba0376e08bb4b7e36a4c3567792289734758b7bf9

    • SHA512

      1867116e4f375b98d653617682937fdacfd0892b5f3b3246cf612bca00407829ce55d725a4e8daf712323e9408a55d31fc2a8cc5696357ce9b4bc969de6cc709

    Score
    10/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks