Malware Analysis Report

2024-11-30 15:43

Sample ID 230112-qceksaga54
Target SPI MARINE1.js
SHA256 f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d
Tags
vjw0rm collection spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d

Threat Level: Known bad

The file SPI MARINE1.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm collection spyware stealer trojan worm

Vjw0rm

Executes dropped EXE

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

outlook_office_path

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-12 13:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-12 13:06

Reported

2023-01-12 13:09

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js"

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

"C:\Users\Admin\AppData\Local\Temp\Payload-1.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.138.232:443 discord.com tcp
N/A 8.8.8.8:53 mail.agritrader.net.ve udp
N/A 190.114.12.98:587 mail.agritrader.net.ve tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.238.20.126:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 13.89.179.8:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 8.253.208.120:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/4508-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js

MD5 c3ac7171af4f9c6564c944b0c43e11c3
SHA1 17199bac943ab82cf4d97bc4a6d2a262121138d5
SHA256 5a56274341805f7b17c4dc8435b1d5ecec97f60c3555228c1c12decae4503de4
SHA512 0505e21e0bef9d3c75c3ceb0bc2272d3e3aaf41c2b0600ac981218e8251ef9ae49f3ff2d7128c326bec02343f4471362789a30235ea7fa09bd9e53b7eb8ae200

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

MD5 5d69b96143f57d5a20e3e118308005b6
SHA1 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07
SHA256 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed
SHA512 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

memory/632-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

MD5 5d69b96143f57d5a20e3e118308005b6
SHA1 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07
SHA256 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed
SHA512 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

memory/632-137-0x00000000003C0000-0x0000000000482000-memory.dmp

memory/632-138-0x00000000072D0000-0x0000000007336000-memory.dmp

memory/632-139-0x0000000008800000-0x0000000008822000-memory.dmp

memory/632-140-0x0000000008CC0000-0x0000000008CCA000-memory.dmp

memory/632-141-0x0000000008CF0000-0x0000000008D02000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-12 13:06

Reported

2023-01-12 13:09

Platform

win7-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload-1.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js"

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

"C:\Users\Admin\AppData\Local\Temp\Payload-1.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.128.233:443 discord.com tcp
N/A 8.8.8.8:53 mail.agritrader.net.ve udp
N/A 190.114.12.98:587 mail.agritrader.net.ve tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1096-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

memory/1112-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js

MD5 c3ac7171af4f9c6564c944b0c43e11c3
SHA1 17199bac943ab82cf4d97bc4a6d2a262121138d5
SHA256 5a56274341805f7b17c4dc8435b1d5ecec97f60c3555228c1c12decae4503de4
SHA512 0505e21e0bef9d3c75c3ceb0bc2272d3e3aaf41c2b0600ac981218e8251ef9ae49f3ff2d7128c326bec02343f4471362789a30235ea7fa09bd9e53b7eb8ae200

memory/1620-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

MD5 5d69b96143f57d5a20e3e118308005b6
SHA1 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07
SHA256 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed
SHA512 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

C:\Users\Admin\AppData\Local\Temp\Payload-1.exe

MD5 5d69b96143f57d5a20e3e118308005b6
SHA1 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07
SHA256 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed
SHA512 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73

memory/1620-61-0x0000000000DB0000-0x0000000000E72000-memory.dmp

memory/1620-62-0x00000000768A1000-0x00000000768A3000-memory.dmp

memory/1620-63-0x0000000000600000-0x000000000060E000-memory.dmp

memory/1620-64-0x0000000008220000-0x00000000082D2000-memory.dmp