Malware Analysis Report

2025-01-18 12:22

Sample ID 221109-r1d5labccm
Target 879-5160.js
SHA256 74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68

Threat Level: Known bad

The file 879-5160.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 14:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 14:39

Reported

2022-11-09 14:40

Platform

win7-20220812-en

Max time kernel

24s

Max time network

64s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Signatures

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"

Network

N/A

Files

memory/608-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

memory/1752-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js

MD5 4ae28435a346bd27612683e2dd95d23a
SHA1 cf1e5c6550216f15e175576d9229a6ed2bed965f
SHA256 c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa
SHA512 9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f

memory/1444-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 14:39

Reported

2022-11-09 14:40

Platform

win10v2004-20220812-en

Max time kernel

36s

Max time network

59s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 52.109.8.44:443 tcp

Files

N/A