Analysis Overview
SHA256
c52320fc195a224294899543e52212f4cbe3026a467ff2438bfba5011ba1e987
Threat Level: Known bad
The file Purchase Invoice.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-25 10:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-25 10:59
Reported
2022-08-25 11:01
Platform
win7-20220812-en
Max time kernel
128s
Max time network
140s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 1656 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2024 wrote to memory of 1656 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2024 wrote to memory of 1656 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 80.76.51.117:3609 | harold.jetos.com | tcp |
Files
memory/2024-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
memory/1656-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js
| MD5 | 941e8d1fbdde43c2ee8c905440206d8f |
| SHA1 | 01c5e045561277dd05756208d4363aa9017fa72b |
| SHA256 | 9a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791 |
| SHA512 | 7fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-25 10:59
Reported
2022-08-25 11:01
Platform
win10v2004-20220812-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4928 wrote to memory of 4964 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4928 wrote to memory of 4964 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 80.76.51.117:3609 | harold.jetos.com | tcp |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.44.10.123:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp |
Files
memory/4964-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\BukjbJDPyc.js
| MD5 | 941e8d1fbdde43c2ee8c905440206d8f |
| SHA1 | 01c5e045561277dd05756208d4363aa9017fa72b |
| SHA256 | 9a025c2741429e4b0f13efa81c92f3684e700f380c44fded2860d19e819b3791 |
| SHA512 | 7fe76383ebca021bd46c9b7c00fd8e355886cca2c23a729e7d7814078134216e42706860199b52c23a3e85b9d95f0b558059c503aa47bf04e46635d216135c24 |