Malware Analysis Report

2025-06-15 21:06

Sample ID 220824-tbmrjsgfg9
Target Purchase Invoice.js
SHA256 d90554b8cf36add67ceaaedfdcab5507eca5951197aed9b2a851485736640779
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d90554b8cf36add67ceaaedfdcab5507eca5951197aed9b2a851485736640779

Threat Level: Known bad

The file Purchase Invoice.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-24 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-24 15:53

Reported

2022-08-24 15:55

Platform

win7-20220812-en

Max time kernel

132s

Max time network

137s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1936 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1972 wrote to memory of 1936 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1972 wrote to memory of 1936 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 harold.jetos.com udp
NL 80.76.51.117:3609 harold.jetos.com tcp

Files

memory/1972-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

memory/1936-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js

MD5 1214283010a75e6bf30c48c99722ee00
SHA1 baf927af2f820cf90a38bb0093097a18c7430fc6
SHA256 a87f39cd2f3017d5ab87295a437448f840c972e8a92363008ce342ccd9a7c8df
SHA512 ec8be42a8fb7ec0ea971fe266f6c7f8121e2c105df6b4ecb329c67960f3d1b638c49d5381cde81badd25e82dd76f33c08253e50f47bc822e808d47f20f9f1156

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-24 15:53

Reported

2022-08-24 15:56

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

169s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2320 wrote to memory of 2184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 harold.jetos.com udp
NL 80.76.51.117:3609 harold.jetos.com tcp
DE 20.52.64.200:443 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp

Files

memory/2184-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js

MD5 1214283010a75e6bf30c48c99722ee00
SHA1 baf927af2f820cf90a38bb0093097a18c7430fc6
SHA256 a87f39cd2f3017d5ab87295a437448f840c972e8a92363008ce342ccd9a7c8df
SHA512 ec8be42a8fb7ec0ea971fe266f6c7f8121e2c105df6b4ecb329c67960f3d1b638c49d5381cde81badd25e82dd76f33c08253e50f47bc822e808d47f20f9f1156