Malware Analysis Report

2025-06-15 21:06

Sample ID 220823-ccn8bsahb4
Target cLAskPOVmATadexax2223.js
SHA256 036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956

Threat Level: Known bad

The file cLAskPOVmATadexax2223.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-23 01:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-23 01:56

Reported

2022-08-23 01:58

Platform

win7-20220812-en

Max time kernel

140s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1864 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1692 wrote to memory of 1864 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1692 wrote to memory of 1864 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"

Network

Country Destination Domain Proto
NL 185.157.162.75:2223 185.157.162.75 tcp

Files

memory/1692-54-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

memory/1864-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\tekCJjaePX.js

MD5 03e3c601fbb227e986a13bd98d98493a
SHA1 fe2f78aa29c17ad88506ce667b493bc507fe1884
SHA256 6b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0
SHA512 9ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-23 01:56

Reported

2022-08-23 01:58

Platform

win10v2004-20220812-en

Max time kernel

137s

Max time network

142s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4088 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3176 wrote to memory of 4088 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
NL 185.157.162.75:2223 185.157.162.75 tcp
IE 13.69.239.73:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/4088-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\tekCJjaePX.js

MD5 03e3c601fbb227e986a13bd98d98493a
SHA1 fe2f78aa29c17ad88506ce667b493bc507fe1884
SHA256 6b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0
SHA512 9ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870