Analysis Overview
SHA256
b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
Threat Level: Known bad
The file jQCWVHjWAA.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-17 15:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-17 15:31
Reported
2022-08-17 15:33
Platform
win7-20220812-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1416 wrote to memory of 1528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1416 wrote to memory of 1528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1416 wrote to memory of 1528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jQCWVHjWAA.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | macjoe597.duia.ro | udp |
| US | 8.8.8.8:53 | macjoe597.duia.ro | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
Files
memory/1528-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js
| MD5 | a542a21ecaba36f6ba8c6457b8ab67f9 |
| SHA1 | 3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c |
| SHA256 | bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b |
| SHA512 | 78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a |
memory/1528-56-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-17 15:31
Reported
2022-08-17 15:33
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3116 wrote to memory of 4480 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3116 wrote to memory of 4480 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jQCWVHjWAA.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.247.211.254:80 | tcp | |
| US | 8.8.8.8:53 | macjoe597.duia.ro | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | tcp | |
| CH | 91.192.100.8:8159 | tcp |
Files
memory/4480-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js
| MD5 | a542a21ecaba36f6ba8c6457b8ab67f9 |
| SHA1 | 3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c |
| SHA256 | bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b |
| SHA512 | 78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a |