Malware Analysis Report

2025-05-28 15:55

Sample ID 220923-qyn2caachm
Target Statement Power Metre SRL.js
SHA256 6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b

Threat Level: Known bad

The file Statement Power Metre SRL.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-23 13:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-23 13:40

Reported

2022-09-23 13:42

Platform

win7-20220901-en

Max time kernel

142s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bqdusfmk.txt"

C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe

C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp

Files

memory/1700-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

memory/2024-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

MD5 aeea41deb4363e0a23003555ffc0ada1
SHA1 c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256 e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512 bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

memory/580-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bqdusfmk.txt

MD5 1d6cb5a374117999329351e6f28268e3
SHA1 a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256 cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA512 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

memory/580-71-0x00000000022B0000-0x00000000052B0000-memory.dmp

memory/580-74-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/2008-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

memory/2008-78-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

memory/2008-79-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

memory/580-80-0x00000000022B0000-0x00000000052B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-23 13:40

Reported

2022-09-23 13:42

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qtkykjur.txt"

C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe

C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp
NO 194.5.98.175:5432 javaautorun.duia.ro tcp

Files

memory/5024-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

MD5 aeea41deb4363e0a23003555ffc0ada1
SHA1 c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256 e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512 bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

memory/4604-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\qtkykjur.txt

MD5 1d6cb5a374117999329351e6f28268e3
SHA1 a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256 cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA512 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

memory/4604-138-0x0000000003230000-0x0000000004230000-memory.dmp

memory/860-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

memory/4604-151-0x0000000003230000-0x0000000004230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

memory/4604-153-0x0000000003230000-0x0000000004230000-memory.dmp

memory/860-154-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

memory/4604-155-0x0000000003230000-0x0000000004230000-memory.dmp

memory/4604-156-0x0000000003230000-0x0000000004230000-memory.dmp

memory/4604-157-0x0000000003230000-0x0000000004230000-memory.dmp

memory/4604-159-0x0000000003230000-0x0000000004230000-memory.dmp

memory/4604-160-0x0000000003230000-0x0000000004230000-memory.dmp