ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://mchristopherr83.duckdns.org:7922/Vre.

Database Entry


IOC ID:233075
IOC: http://mchristopherr83.duckdns.org:7922/Vre
IOC Type :url
Threat Type :botnet_cc
Malware: Vjw0rm
Confidence Level : Confidence level is high (100%)
First seen:2021-10-12 21:47:53 UTC
Last seen:never
UUID:0de930bc-2ba6-11ec-a35f-42010aa4000a
Reporter @AndreGironda
Reward 5 credits from ThreatFox
Tags:Vjw0rm
Reference: https://tria.ge/211012-wpbybachc5

Twitter
@AndreGironda
MITRE T1566.001
Date: Tue, 12 Oct 2021 14:30-15:00 -0000
Received: from smtp76.ord1c.emailsrvr.com (108.166.43.76)
From: "Maresca"<saritha.b@idctechnologies.com>
Subject: Invoice Order #C0083 Attached
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0083_01C2A9A6.6D2DA85C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Classification-ID: bb92a42b-411b-4bde-9867-2ce8d177af82-1-1
Message-ID: <202b28d4-969a-45ac-9bc8-57cd67ee551e@BN8NAM11FT056.eop-nam11.prod.protection.outlook.com>
To: Undisclosed recipients:;
Return-Path: saritha.b@idctechnologies.com
Attachment Name: C0083_Invoice_Copy.iso
Attachment SHA256: 1ac5463d860af063a8653ef3bc02c6a0a28d089ded5d759530ebe54e8c1da498
Unzipped JavaScript Dropper Name: C0083_Invoice_Copy.js
Vjw0rm JS Dropper SHA256: 9af04e365ed1f2e0ea04dc71729f0e3341f0f981405c9f3ddd6d6d7b693fb733

Schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\SYSOP1~1\AppData\Local\Temp\0.2638666.jse

[info] IOC: The script read a registry key
[warn] Unknown registry key HKCU\vjw0rm!
[info] Script read environment variable temp
[info] IOC: The script copied a file.
[info] Copying C:Users\Sysop12\AppData\Roaming\Microsoft\Templates\0.2638666.jse to C:\Users\SYSOP1~1\AppData\Local\Temp\0.2638666.jse
[info] IOC: The script wrote a file.
[info] IOC: The script wrote to a registry key
[info] Setting registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JX0T7EQ31M to "C:\Users\SYSOP1~1\AppData\Local\Temp\0.2638666.jse" of type REG_SZ
[info] IOC: The script ran a command.
[info] Executing C0083_Invoice_Copy.js.1.results/7523e447-d832-4869-9dfb-9f7c33e3ee43 in the WScript shell
[info] IOC: The script copied a file.
[info] Copying C:Users\Sysop12\AppData\Roaming\Microsoft\Templates\0.2638666.jse to C:\Users\MyUsername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\0.2638666.jse
[info] IOC: The script wrote a file.
[info] Script read environment variable windir
[info] Script read environment variable computername
[info] Script read environment variable username
[info] Script tried to read information about operating system
[info] Header set for http://mchristopherr83.duckdns.org:7922/Vre:
[info] POST http://mchristopherr83.duckdns.org:7922/Vre
[info] IOC: The script fetched an URL