Malware Analysis Report

2024-11-30 15:43

Sample ID 230112-qcaltsga53
Target SPI MARINE.js
SHA256 ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55
Tags
vjw0rm collection spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55

Threat Level: Known bad

The file SPI MARINE.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm collection spyware stealer trojan worm

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

outlook_win_path

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-12 13:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-12 13:06

Reported

2023-01-12 13:09

Platform

win7-20221111-en

Max time kernel

148s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1908

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.128.233:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1780-54-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

memory/820-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js

MD5 52a7a3de89aa5553c03bc908385e47c6
SHA1 c9119e20eb105d5f722d5fdc417a51a829b2b517
SHA256 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd
SHA512 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3

memory/1468-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

memory/1468-61-0x00000000011B0000-0x0000000001274000-memory.dmp

memory/1468-62-0x0000000075991000-0x0000000075993000-memory.dmp

memory/1468-63-0x00000000006A0000-0x00000000006AE000-memory.dmp

memory/1468-64-0x0000000008540000-0x00000000085F2000-memory.dmp

memory/964-65-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-12 13:06

Reported

2023-01-12 13:09

Platform

win10v2004-20221111-en

Max time kernel

142s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 4852 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4460 wrote to memory of 4852 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4460 wrote to memory of 4732 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 4460 wrote to memory of 4732 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 4460 wrote to memory of 4732 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.135.232:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 20.50.73.10:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 96.16.53.137:80 tcp
N/A 96.16.53.137:80 tcp
N/A 96.16.53.137:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/4852-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js

MD5 52a7a3de89aa5553c03bc908385e47c6
SHA1 c9119e20eb105d5f722d5fdc417a51a829b2b517
SHA256 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd
SHA512 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3

memory/4732-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

memory/4732-137-0x0000000000380000-0x0000000000444000-memory.dmp

memory/4732-138-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/4732-139-0x00000000087C0000-0x00000000087E2000-memory.dmp

memory/4732-140-0x0000000002820000-0x000000000282A000-memory.dmp

memory/4732-141-0x0000000002850000-0x0000000002862000-memory.dmp