Malware Analysis Report

2025-06-15 21:05

Sample ID 220819-rhtsbsedam
Target New Order.js
SHA256 53bbab870aa1d49a4e311a68a163692115d59e4c2fd5493abca783dbf55f45f9
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53bbab870aa1d49a4e311a68a163692115d59e4c2fd5493abca783dbf55f45f9

Threat Level: Known bad

The file New Order.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-19 14:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-19 14:12

Reported

2022-08-19 14:14

Platform

win7-20220812-en

Max time kernel

148s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\GR52XVJZ4Q = "\"C:\\Users\\Admin\\AppData\\Roaming\\New Order.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1456 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1964 wrote to memory of 1456 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1964 wrote to memory of 1456 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1964 wrote to memory of 1724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 1964 wrote to memory of 1724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 1964 wrote to memory of 1724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HVcGjHlAjW.js"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\New Order.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 severdops.ddns.net udp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp

Files

memory/1964-54-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

memory/1456-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HVcGjHlAjW.js

MD5 fbaec096e2d7b0f56c7abdb5f171e8b3
SHA1 2c26f08b135fa9f04e1fbc3c93dbf4df0b17cb66
SHA256 1f8ce58992df786114e0d5a23ff54bf867391bdabafb720776c3d8871fd8a0b5
SHA512 67537a2e7fd94686d0320e5a0dcd0e0214de08f4f4c3ab4c34c969e2a6d9123fec6c08206d5ba07b511e1acd23f464106e9daa21248407a7a5dc1cd69de49b27

memory/1724-57-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-19 14:12

Reported

2022-08-19 14:14

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

147s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GR52XVJZ4Q = "\"C:\\Users\\Admin\\AppData\\Roaming\\New Order.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 3424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3904 wrote to memory of 3424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3904 wrote to memory of 3404 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 3904 wrote to memory of 3404 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HVcGjHlAjW.js"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\New Order.js

Network

Country Destination Domain Proto
IE 20.190.159.73:443 tcp
US 8.8.8.8:53 severdops.ddns.net udp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 8.253.225.254:80 tcp
US 8.253.225.254:80 tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 209.197.3.8:80 tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp
US 208.67.106.143:5050 severdops.ddns.net tcp

Files

memory/3424-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HVcGjHlAjW.js

MD5 fbaec096e2d7b0f56c7abdb5f171e8b3
SHA1 2c26f08b135fa9f04e1fbc3c93dbf4df0b17cb66
SHA256 1f8ce58992df786114e0d5a23ff54bf867391bdabafb720776c3d8871fd8a0b5
SHA512 67537a2e7fd94686d0320e5a0dcd0e0214de08f4f4c3ab4c34c969e2a6d9123fec6c08206d5ba07b511e1acd23f464106e9daa21248407a7a5dc1cd69de49b27

memory/3404-134-0x0000000000000000-mapping.dmp