Malware Analysis Report

2025-06-15 21:05

Sample ID 220825-m3fnzschb2
Target Purchase Invoice.js
SHA256 c52320fc195a224294899543e52212f4cbe3026a467ff2438bfba5011ba1e987
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c52320fc195a224294899543e52212f4cbe3026a467ff2438bfba5011ba1e987

Threat Level: Known bad

The file Purchase Invoice.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-25 10:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-25 10:59

Reported

2022-08-25 11:01

Platform

win7-20220812-en

Max time kernel

128s

Max time network

140s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1656 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2024 wrote to memory of 1656 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2024 wrote to memory of 1656 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 harold.jetos.com udp
NL 80.76.51.117:3609 harold.jetos.com tcp

Files

memory/2024-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

memory/1656-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js

MD5 941e8d1fbdde43c2ee8c905440206d8f
SHA1 01c5e045561277dd05756208d4363aa9017fa72b
SHA256 9a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791
SHA512 7fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-25 10:59

Reported

2022-08-25 11:01

Platform

win10v2004-20220812-en

Max time kernel

145s

Max time network

149s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4964 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4928 wrote to memory of 4964 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 harold.jetos.com udp
NL 80.76.51.117:3609 harold.jetos.com tcp
NL 104.80.225.205:443 tcp
US 20.44.10.123:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp

Files

memory/4964-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js

MD5 941e8d1fbdde43c2ee8c905440206d8f
SHA1 01c5e045561277dd05756208d4363aa9017fa72b
SHA256 9a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791
SHA512 7fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24