Malware Analysis Report

2025-05-05 21:52

Sample ID 221012-qlpgcadfbr
Target PO20221110-PDF.js
SHA256 94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d
Tags
netwire vjw0rm botnet rat stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d

Threat Level: Known bad

The file PO20221110-PDF.js was found to be: Known bad.

Malicious Activity Summary

netwire vjw0rm botnet rat stealer trojan worm

Netwire

Vjw0rm

NetWire RAT payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-12 13:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-12 13:21

Reported

2022-10-12 13:23

Platform

win7-20220812-en

Max time kernel

128s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO20221110-PDF.js

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Host DNS.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Host DNS.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO20221110-PDF.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js"

C:\Users\Admin\AppData\Roaming\Host DNS.exe

"C:\Users\Admin\AppData\Roaming\Host DNS.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jspowerone.cloudns.nz udp
NL 185.216.71.191:8078 jspowerone.cloudns.nz tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp

Files

memory/1504-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

memory/1480-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js

MD5 b2ab4f082c681e45ba19a59c55c2a418
SHA1 46c869e81ab32f5875bd1aedc05e1858d90963d4
SHA256 698ff38f65986350217e7718c792f4d1b540a773718b05d821cfdf2919e9d473
SHA512 fede4f9cfd8abfd9bb4ceef0303874d81edd97015a2e1b1c03fd9147bc320a554f75cd9ece1592fe41d90934bfcfcf53d1ab2c03422861132fb2157be2e16efd

memory/2032-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host DNS.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

memory/2032-59-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Host DNS.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

memory/1444-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-12 13:21

Reported

2022-10-12 13:23

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO20221110-PDF.js

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Host DNS.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Host DNS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO20221110-PDF.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js"

C:\Users\Admin\AppData\Roaming\Host DNS.exe

"C:\Users\Admin\AppData\Roaming\Host DNS.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 jspowerone.cloudns.nz udp
US 93.184.220.29:80 tcp
NL 185.216.71.191:8078 jspowerone.cloudns.nz tcp
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp
NL 104.80.225.205:443 tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
FR 51.11.192.48:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp

Files

memory/4880-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js

MD5 b2ab4f082c681e45ba19a59c55c2a418
SHA1 46c869e81ab32f5875bd1aedc05e1858d90963d4
SHA256 698ff38f65986350217e7718c792f4d1b540a773718b05d821cfdf2919e9d473
SHA512 fede4f9cfd8abfd9bb4ceef0303874d81edd97015a2e1b1c03fd9147bc320a554f75cd9ece1592fe41d90934bfcfcf53d1ab2c03422861132fb2157be2e16efd

memory/1660-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host DNS.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

C:\Users\Admin\AppData\Roaming\Host DNS.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

memory/1712-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 93faef710207f7739552b0c60f36f6f2
SHA1 cf4e4425ccea409e2d2eec80ad20088f934bc262
SHA256 8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb
SHA512 80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090