Analysis Overview
SHA256
ee4fe0e9b80548010efafc805070d10302444cd4c3cda5d320c07abfc4bf0cba
Threat Level: Known bad
The file Inquiry - P.O# 01048.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-10 09:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-10 09:11
Reported
2022-10-10 09:13
Platform
win7-20220812-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 1668 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2040 wrote to memory of 1668 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2040 wrote to memory of 1668 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| NL | 185.222.57.147:1989 | 185.222.57.147 | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
Files
memory/2040-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp
memory/1668-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js
| MD5 | 895bcda898dfd53568e6ece9575c6cae |
| SHA1 | 4d2b8293cc6e7b73d2c6ec215a97b7cf97b8389e |
| SHA256 | 374ef5ace54b2820db0b0e4d059425f29dff35df65e976a6d7b7a83c52d30fa5 |
| SHA512 | ee10d14aa34cfbeb5124d3bc18b597ee2d2bcec799d96b9775d14ac2645b1a468377c6c8f1ff0c793fdb21132982e9b853643ac1f3293d6c0218985347ae98dd |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-10 09:11
Reported
2022-10-10 09:13
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4028 wrote to memory of 2220 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4028 wrote to memory of 2220 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js"
Network
| Country | Destination | Domain | Proto |
| NL | 185.222.57.147:1989 | 185.222.57.147 | tcp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| US | 93.184.221.240:80 | tcp | |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
| DK | 37.120.232.109:5465 | javaautorun.duia.ro | tcp |
Files
memory/2220-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js
| MD5 | 895bcda898dfd53568e6ece9575c6cae |
| SHA1 | 4d2b8293cc6e7b73d2c6ec215a97b7cf97b8389e |
| SHA256 | 374ef5ace54b2820db0b0e4d059425f29dff35df65e976a6d7b7a83c52d30fa5 |
| SHA512 | ee10d14aa34cfbeb5124d3bc18b597ee2d2bcec799d96b9775d14ac2645b1a468377c6c8f1ff0c793fdb21132982e9b853643ac1f3293d6c0218985347ae98dd |