Malware Analysis Report

2025-05-05 21:52

Sample ID 221011-klez1sefhr
Target transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js
SHA256 508b21cb602b5a3e9e19eb6ba9e010fb0d4a743d18e4a869063f72e2454324f7
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

508b21cb602b5a3e9e19eb6ba9e010fb0d4a743d18e4a869063f72e2454324f7

Threat Level: Known bad

The file transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 08:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 08:41

Reported

2022-10-11 08:43

Platform

win7-20220901-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\phbumwz.txt"

Network

Country Destination Domain Proto
NL 185.222.57.147:1990 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1990 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1990 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1990 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp

Files

memory/620-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

memory/472-55-0x0000000000000000-mapping.dmp

memory/1628-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js

MD5 7d8cc50c80e29db13ca0032d3e00a56d
SHA1 d8d138717093b67b4d6205234c82a6fe4f801429
SHA256 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512 b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c

C:\Users\Admin\AppData\Roaming\phbumwz.txt

MD5 c1783ea3118978252aa6c8891d0ea61c
SHA1 9986142768fd83fb445f8ac6dfd196aba3fb3139
SHA256 23b78abed63ac1a61a43873aa4bc168f30a4bef0e1fa9132a89f479c02805855
SHA512 6a22b6683589c981eaa8d1aad2bfaffc06789ec9671b3a6ec6b7279f4fcbaf6d2c1b1bf8ed3ffb047a86e711294d66b532d313805b4973566afd27b2fc182006

memory/1628-67-0x0000000002290000-0x0000000005290000-memory.dmp

memory/1628-74-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1628-75-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1628-76-0x0000000002290000-0x0000000005290000-memory.dmp

memory/1628-77-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1628-78-0x0000000000370000-0x000000000037A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 08:41

Reported

2022-10-11 08:44

Platform

win10v2004-20220901-en

Max time kernel

147s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 1164 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 1164 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 4660 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4644 wrote to memory of 4660 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bzjupikerj.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
NL 185.222.57.147:1990 tcp
GB 51.132.193.104:443 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 185.222.57.147:1990 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1990 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1990 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NL 185.222.57.147:1990 tcp

Files

memory/1164-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js

MD5 7d8cc50c80e29db13ca0032d3e00a56d
SHA1 d8d138717093b67b4d6205234c82a6fe4f801429
SHA256 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512 b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c

memory/4660-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bzjupikerj.txt

MD5 c1783ea3118978252aa6c8891d0ea61c
SHA1 9986142768fd83fb445f8ac6dfd196aba3fb3139
SHA256 23b78abed63ac1a61a43873aa4bc168f30a4bef0e1fa9132a89f479c02805855
SHA512 6a22b6683589c981eaa8d1aad2bfaffc06789ec9671b3a6ec6b7279f4fcbaf6d2c1b1bf8ed3ffb047a86e711294d66b532d313805b4973566afd27b2fc182006

memory/4660-143-0x0000000002BE0000-0x0000000003BE0000-memory.dmp

memory/4660-150-0x0000000002BE0000-0x0000000003BE0000-memory.dmp

memory/4660-151-0x0000000002BE0000-0x0000000003BE0000-memory.dmp