Malware Analysis Report

2025-06-15 21:06

Sample ID 220823-ccwmeagafj
Target cLAskPOVmATadexax2223.js
SHA256 036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956

Threat Level: Known bad

The file cLAskPOVmATadexax2223.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-23 01:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-23 01:56

Reported

2022-08-23 01:59

Platform

win7-20220812-en

Max time kernel

131s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1732 wrote to memory of 1900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1732 wrote to memory of 1900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"

Network

Country Destination Domain Proto
NL 185.157.162.75:2223 185.157.162.75 tcp

Files

memory/1732-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

memory/1900-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\tekCJjaePX.js

MD5 03e3c601fbb227e986a13bd98d98493a
SHA1 fe2f78aa29c17ad88506ce667b493bc507fe1884
SHA256 6b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0
SHA512 9ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-23 01:56

Reported

2022-08-23 01:59

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4208 wrote to memory of 456 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4208 wrote to memory of 456 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"

Network

Country Destination Domain Proto
NL 185.157.162.75:2223 185.157.162.75 tcp
IE 20.190.159.4:443 tcp
IE 20.190.159.4:443 tcp
IE 20.190.159.4:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
IE 20.190.159.64:443 tcp
IE 20.190.159.64:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
IE 40.126.31.69:443 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 93.184.221.240:80 tcp
IE 20.190.159.73:443 tcp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
IE 40.126.31.67:443 tcp

Files

memory/456-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\tekCJjaePX.js

MD5 03e3c601fbb227e986a13bd98d98493a
SHA1 fe2f78aa29c17ad88506ce667b493bc507fe1884
SHA256 6b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0
SHA512 9ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870