Malware Analysis Report

2025-06-15 21:05

Sample ID 220825-v964hsgdfn
Target proceso-0088-002022-685642634.pdf.js
SHA256 5cb896f3395e99416d3b91fef16bb735b5bb649f86dd0d94f6191ea3369cf596
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cb896f3395e99416d3b91fef16bb735b5bb649f86dd0d94f6191ea3369cf596

Threat Level: Known bad

The file proceso-0088-002022-685642634.pdf.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-25 17:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-25 17:42

Reported

2022-08-25 17:46

Platform

win7-20220812-en

Max time kernel

146s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\proceso-0088-002022-685642634.pdf.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ET4SWR6G7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\proceso-0088-002022-685642634.pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1188 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1708 wrote to memory of 1188 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1708 wrote to memory of 1188 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\proceso-0088-002022-685642634.pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SKVvqgvCri.js"

Network

Country Destination Domain Proto
NO 194.5.98.48:4456 194.5.98.48 tcp

Files

memory/1708-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

memory/1188-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SKVvqgvCri.js

MD5 632e1d5b2d29cef6f5df8691f556d83a
SHA1 c8779f384f25f04906274424479c1adfebb367f7
SHA256 8b6c82d207009ca49d2e7d588708e856a4e874cfe9318b74c4cd81998ff2b54d
SHA512 9e690d94e5461fa3b230b0b123fc092142d2d1af2d3795ba6b5c4e5671dcf4c3cf005a472fc828307fc6e41996d517806f3a950c5f8b0ced3a78d2fd41390c68

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-25 17:42

Reported

2022-08-25 17:46

Platform

win10v2004-20220812-en

Max time kernel

145s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\proceso-0088-002022-685642634.pdf.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ET4SWR6G7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\proceso-0088-002022-685642634.pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 5064 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4940 wrote to memory of 5064 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\proceso-0088-002022-685642634.pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SKVvqgvCri.js"

Network

Country Destination Domain Proto
IE 20.190.159.68:443 tcp
NO 194.5.98.48:4456 194.5.98.48 tcp
US 93.184.220.29:80 tcp
NL 67.26.105.254:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
BE 67.27.153.126:80 tcp
BE 8.238.111.254:80 tcp
US 93.184.221.240:80 tcp

Files

memory/5064-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SKVvqgvCri.js

MD5 632e1d5b2d29cef6f5df8691f556d83a
SHA1 c8779f384f25f04906274424479c1adfebb367f7
SHA256 8b6c82d207009ca49d2e7d588708e856a4e874cfe9318b74c4cd81998ff2b54d
SHA512 9e690d94e5461fa3b230b0b123fc092142d2d1af2d3795ba6b5c4e5671dcf4c3cf005a472fc828307fc6e41996d517806f3a950c5f8b0ced3a78d2fd41390c68