Malware Analysis Report

2024-11-30 15:43

Sample ID 230112-s5xm6scc31
Target 35K MT SOYBEAN MEAL.js
SHA256 ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55
Tags
vjw0rm collection spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55

Threat Level: Known bad

The file 35K MT SOYBEAN MEAL.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm collection spyware stealer trojan worm

Vjw0rm

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-12 15:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-12 15:43

Reported

2023-01-12 15:45

Platform

win7-20220901-en

Max time kernel

149s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\35K MT SOYBEAN MEAL.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\35K MT SOYBEAN MEAL.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1844

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.137.232:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1036-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

memory/564-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js

MD5 52a7a3de89aa5553c03bc908385e47c6
SHA1 c9119e20eb105d5f722d5fdc417a51a829b2b517
SHA256 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd
SHA512 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3

memory/716-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

memory/716-61-0x0000000000020000-0x00000000000E4000-memory.dmp

memory/716-62-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

memory/716-63-0x00000000006A0000-0x00000000006AE000-memory.dmp

memory/716-64-0x00000000087B0000-0x0000000008862000-memory.dmp

memory/1924-65-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-12 15:43

Reported

2023-01-12 15:45

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\35K MT SOYBEAN MEAL.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 5032 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2240 wrote to memory of 5032 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2240 wrote to memory of 2112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2240 wrote to memory of 2112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2240 wrote to memory of 2112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\35K MT SOYBEAN MEAL.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.136.232:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 20.50.201.200:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/5032-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js

MD5 52a7a3de89aa5553c03bc908385e47c6
SHA1 c9119e20eb105d5f722d5fdc417a51a829b2b517
SHA256 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd
SHA512 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3

memory/2112-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

memory/2112-137-0x0000000000970000-0x0000000000A34000-memory.dmp

memory/2112-138-0x0000000007790000-0x00000000077F6000-memory.dmp

memory/2112-139-0x0000000008B30000-0x0000000008B52000-memory.dmp

memory/2112-140-0x0000000002C00000-0x0000000002C0A000-memory.dmp

memory/2112-141-0x0000000002C30000-0x0000000002C42000-memory.dmp