Malware Analysis Report

2025-05-05 21:52

Sample ID 221010-k5llxabebj
Target Inquiry - P.O# 01048.js
SHA256 ee4fe0e9b80548010efafc805070d10302444cd4c3cda5d320c07abfc4bf0cba
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee4fe0e9b80548010efafc805070d10302444cd4c3cda5d320c07abfc4bf0cba

Threat Level: Known bad

The file Inquiry - P.O# 01048.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-10 09:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-10 09:11

Reported

2022-10-10 09:13

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2040 wrote to memory of 1668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2040 wrote to memory of 1668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1989 185.222.57.147 tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp

Files

memory/2040-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

memory/1668-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js

MD5 895bcda898dfd53568e6ece9575c6cae
SHA1 4d2b8293cc6e7b73d2c6ec215a97b7cf97b8389e
SHA256 374ef5ace54b2820db0b0e4d059425f29dff35df65e976a6d7b7a83c52d30fa5
SHA512 ee10d14aa34cfbeb5124d3bc18b597ee2d2bcec799d96b9775d14ac2645b1a468377c6c8f1ff0c793fdb21132982e9b853643ac1f3293d6c0218985347ae98dd

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-10 09:11

Reported

2022-10-10 09:13

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 2220 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4028 wrote to memory of 2220 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js"

Network

Country Destination Domain Proto
NL 185.222.57.147:1989 185.222.57.147 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp

Files

memory/2220-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js

MD5 895bcda898dfd53568e6ece9575c6cae
SHA1 4d2b8293cc6e7b73d2c6ec215a97b7cf97b8389e
SHA256 374ef5ace54b2820db0b0e4d059425f29dff35df65e976a6d7b7a83c52d30fa5
SHA512 ee10d14aa34cfbeb5124d3bc18b597ee2d2bcec799d96b9775d14ac2645b1a468377c6c8f1ff0c793fdb21132982e9b853643ac1f3293d6c0218985347ae98dd