General

  • Target

    JaffaCakes118_639a52ac0f48d8f50087a000045ca96697b82bac64354c24e943d05adf382f54

  • Size

    1.2MB

  • Sample

    241226-w4ggcatqhw

  • MD5

    20db56ec8e3303573fb75081ed93528e

  • SHA1

    dbc6ae87432142e74d5956992c519489ad2a2240

  • SHA256

    639a52ac0f48d8f50087a000045ca96697b82bac64354c24e943d05adf382f54

  • SHA512

    db040dddf91166a3d99994918e316f931e33ca7690dd320d4235332be646a9c141be16cb2241089759eb2b190c38d24b6ef4e319b97de18053df0ceedb7abd13

  • SSDEEP

    384:GfqOR0B0TC7OYDDI5OGyiHThWgdJ/+rVLR3HDVsulx/oXS7fMuWLG:GfDR06KDozhWOJWrxRhs0/g4vWLG

Malware Config

Targets

    • Target

      #YNOO1.js

    • Size

      16KB

    • MD5

      a1a3e5dae77dc6f0583baa8aba265e15

    • SHA1

      336a077a4bb9bd5256326d8499da778fa96ff253

    • SHA256

      293873306a36a941044538e83294552b6bb9ec7519be1c3d0f022b7e1eac204a

    • SHA512

      4924c89011c4871954f0fb816a16618039a94ffcbd5111eddf8a9b3aac0bf53d7a35f3dd737843c50bb91c3f282318c69ea0edeff18c0227abd08146b01830b7

    • SSDEEP

      384:a0TC7OYDDI5OGyiHThWgdJ/+rVLR3HDVsp:ZKDozhWOJWrxRhsp

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Vjw0rm family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Target

      #YNOO2.js

    • Size

      7KB

    • MD5

      aa7a0447437a65fe55dad70eb23ee51c

    • SHA1

      13a4ff9fbba5bf86c2943651bb253f28c09c0734

    • SHA256

      959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c

    • SHA512

      e507b3065fb94d6610d72d6b723cabde19634eee11684b8864cc737fd530473be4989e9cb039a89b774952a5f881a6e6cbea834371817d31bb285b2ec2e117c4

    • SSDEEP

      192:il3hrVMAMDXHULo/TZq+WXfpHBM3tHMqeW2uGpqj:ilx/oXS7fMuWLGo

    Score
    8/10
    • Blocklisted process makes network request

MITRE ATT&CK Enterprise v15

Tasks