Malware Analysis Report

2025-05-05 21:52

Sample ID 221010-ndq9vsbfa7
Target DP1010.js
SHA256 319372731b242e6a2e7b2e159c2272c34dba4f9af69691d7b887df75353f3823
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

319372731b242e6a2e7b2e159c2272c34dba4f9af69691d7b887df75353f3823

Threat Level: Known bad

The file DP1010.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-10 11:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-10 11:17

Reported

2022-10-10 11:19

Platform

win7-20220812-en

Max time kernel

127s

Max time network

139s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fireblende.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fireblende.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js"

C:\Users\Admin\AppData\Local\Temp\fireblende.exe

"C:\Users\Admin\AppData\Local\Temp\fireblende.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp

Files

memory/1848-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

memory/856-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js

MD5 8a0de3cb189e9f7611b73438796e43ba
SHA1 73684c9be5b1992510c4e0a8d3b70137a2efd207
SHA256 ce31a6b170ccb2670e50cc95c292923cde1aff9ea1bbf6d64c9f2d6338991899
SHA512 8c92d8cc47f356b48020bbbfe17dafc9e9420f08b3bfa43b53ef7d3afc129282bc5248db5115202ff58c424c5c5c417271382d5e33ab305d5d550f4165346ac2

memory/1324-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fireblende.exe

MD5 f5eeb7b7ec72a813286f53d736c9f78a
SHA1 ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9
SHA256 19f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358
SHA512 4528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-10 11:17

Reported

2022-10-10 11:19

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fireblende.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fireblende.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js"

C:\Users\Admin\AppData\Local\Temp\fireblende.exe

"C:\Users\Admin\AppData\Local\Temp\fireblende.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 20.189.173.4:443 tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp
DK 37.120.232.109:5465 javaautorun.duia.ro tcp

Files

memory/4968-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js

MD5 8a0de3cb189e9f7611b73438796e43ba
SHA1 73684c9be5b1992510c4e0a8d3b70137a2efd207
SHA256 ce31a6b170ccb2670e50cc95c292923cde1aff9ea1bbf6d64c9f2d6338991899
SHA512 8c92d8cc47f356b48020bbbfe17dafc9e9420f08b3bfa43b53ef7d3afc129282bc5248db5115202ff58c424c5c5c417271382d5e33ab305d5d550f4165346ac2

memory/4840-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fireblende.exe

MD5 f5eeb7b7ec72a813286f53d736c9f78a
SHA1 ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9
SHA256 19f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358
SHA512 4528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9

C:\Users\Admin\AppData\Local\Temp\fireblende.exe

MD5 f5eeb7b7ec72a813286f53d736c9f78a
SHA1 ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9
SHA256 19f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358
SHA512 4528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9