Malware Analysis Report

2025-05-28 15:55

Sample ID 220924-jnnt9sagb8
Target New Order for October.js
SHA256 ed6dfe0b4ad2bdc90dc8f0498d26db8ffbc8f498b9e50bd78832e2cc5c41886e
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed6dfe0b4ad2bdc90dc8f0498d26db8ffbc8f498b9e50bd78832e2cc5c41886e

Threat Level: Known bad

The file New Order for October.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-24 07:49

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-24 07:49

Reported

2022-09-24 07:51

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order for October.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order for October.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\defiZZUuQa.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ygmkskfjyh.txt"

C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe

C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
US 93.184.220.29:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
NL 104.80.225.205:443 tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp

Files

memory/5008-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\defiZZUuQa.js

MD5 98d232bcf565c9a3c5ff09ed4b2364b7
SHA1 53a54e4c6966c9fb39595bd894e1b5c30ab6eb5d
SHA256 80853e9a1aabaa758853c4708f7aa5833038cc528f978c054a0e4b7fdfb6803c
SHA512 00208ded48b462e2bb45825994aa7e3d7a9bad78282bbeba4bf04aa7141d1773af1b7a85e4bd4585294a32195943a188c1c64798995ae51ade2c91c11cdf779d

memory/4968-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ygmkskfjyh.txt

MD5 cb149aabfbfca9669536c2ad4bdec4c4
SHA1 42077d0d29634eb7f6034fdf9c69b858d8a399b2
SHA256 d5976ed8b73fa654dfdcb9a46ddf033d38097f34b93548f8cd509eb33d9de4b0
SHA512 a7e143c6ccaa44d62cec7332220e428b368b085853d7b7f2d08d2196518c3079ffe405b3b2ee48ae5679519d6a74ac50dd8d0b01d6e8c4d0a30ff8b1774395b3

memory/4968-145-0x0000000002E90000-0x0000000003E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

memory/1452-148-0x0000000000000000-mapping.dmp

memory/4968-150-0x0000000002E90000-0x0000000003E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

memory/4968-152-0x0000000002E90000-0x0000000003E90000-memory.dmp

memory/1452-153-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

memory/4968-154-0x0000000002E90000-0x0000000003E90000-memory.dmp

memory/4968-155-0x0000000002E90000-0x0000000003E90000-memory.dmp

memory/4968-156-0x0000000002E90000-0x0000000003E90000-memory.dmp

memory/4968-158-0x0000000002E90000-0x0000000003E90000-memory.dmp

memory/4968-159-0x0000000002E90000-0x0000000003E90000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-24 07:49

Reported

2022-09-24 07:51

Platform

win7-20220812-en

Max time kernel

128s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order for October.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order for October.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\defiZZUuQa.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jseapxsk.txt"

C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe

C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp
NG 154.120.66.202:5432 javaautorun.duia.ro tcp

Files

memory/740-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

memory/560-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\defiZZUuQa.js

MD5 98d232bcf565c9a3c5ff09ed4b2364b7
SHA1 53a54e4c6966c9fb39595bd894e1b5c30ab6eb5d
SHA256 80853e9a1aabaa758853c4708f7aa5833038cc528f978c054a0e4b7fdfb6803c
SHA512 00208ded48b462e2bb45825994aa7e3d7a9bad78282bbeba4bf04aa7141d1773af1b7a85e4bd4585294a32195943a188c1c64798995ae51ade2c91c11cdf779d

memory/1120-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\jseapxsk.txt

MD5 cb149aabfbfca9669536c2ad4bdec4c4
SHA1 42077d0d29634eb7f6034fdf9c69b858d8a399b2
SHA256 d5976ed8b73fa654dfdcb9a46ddf033d38097f34b93548f8cd509eb33d9de4b0
SHA512 a7e143c6ccaa44d62cec7332220e428b368b085853d7b7f2d08d2196518c3079ffe405b3b2ee48ae5679519d6a74ac50dd8d0b01d6e8c4d0a30ff8b1774395b3

memory/1120-67-0x0000000002370000-0x0000000005370000-memory.dmp

memory/1120-72-0x0000000002370000-0x0000000005370000-memory.dmp

memory/1120-75-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1120-76-0x0000000000370000-0x000000000037A000-memory.dmp

memory/2032-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe

MD5 2febb58744b8f59fe8fcdce3bd4f4aa8
SHA1 629cf9935873f774f9c3115a59109253ece7cd00
SHA256 b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

memory/2032-80-0x00000000008B0000-0x00000000008B8000-memory.dmp

memory/2032-81-0x0000000075A81000-0x0000000075A83000-memory.dmp

memory/1120-82-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1120-83-0x0000000000370000-0x000000000037A000-memory.dmp