Malware Analysis Report

2025-05-05 21:52

Sample ID 221011-l43pgahedn
Target Payment Swift-MT103101122.js
SHA256 22125214857ca13a8cb91e5c920d2018db792d57356537234487ad47e66ae0e0
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22125214857ca13a8cb91e5c920d2018db792d57356537234487ad47e66ae0e0

Threat Level: Known bad

The file Payment Swift-MT103101122.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 10:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 10:06

Reported

2022-10-11 10:09

Platform

win7-20220901-en

Max time kernel

147s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1324 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1324 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FeyQENosfv.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
NL 185.216.71.62:52054 185.216.71.62 tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp

Files

memory/1324-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

memory/668-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FeyQENosfv.js

MD5 f008c6822efc36d36773c28c6648531a
SHA1 e2346b75ee7d0ab6106a519f652d1b55f3fd2a28
SHA256 2f5f6b4f2a873a414a1541572c41ff23339fd055b46e0edffcf4adf42985ec7e
SHA512 cd4464839b668ce3218d803f6b10c5b932b964d951d29689979c673d7e002c727f239600e6f7dc62f6d291f7612531df802660bc23ac415926f3eecefdc5fa80

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 10:06

Reported

2022-10-11 10:08

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4808 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4832 wrote to memory of 4808 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FeyQENosfv.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NL 185.216.71.62:52054 185.216.71.62 tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
US 93.184.220.29:80 tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
JP 40.79.189.58:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp
DK 2.58.46.200:5465 javaautorun.duia.ro tcp

Files

memory/4808-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FeyQENosfv.js

MD5 f008c6822efc36d36773c28c6648531a
SHA1 e2346b75ee7d0ab6106a519f652d1b55f3fd2a28
SHA256 2f5f6b4f2a873a414a1541572c41ff23339fd055b46e0edffcf4adf42985ec7e
SHA512 cd4464839b668ce3218d803f6b10c5b932b964d951d29689979c673d7e002c727f239600e6f7dc62f6d291f7612531df802660bc23ac415926f3eecefdc5fa80