Malware Analysis Report

2024-11-30 15:42

Sample ID 230113-kklq6sbd5v
Target Proforma DA request.js
SHA256 d545270fe4ea4823d14c419ec38d3c1f861c6a24c096b3b0953960428c4ef395
Tags
vjw0rm collection spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d545270fe4ea4823d14c419ec38d3c1f861c6a24c096b3b0953960428c4ef395

Threat Level: Known bad

The file Proforma DA request.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm collection spyware stealer trojan worm

Vjw0rm

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Program crash

Enumerates physical storage devices

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-13 08:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-13 08:39

Reported

2023-01-13 08:42

Platform

win7-20221111-en

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1872

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.128.233:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1540-54-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

memory/660-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js

MD5 bc7e3f3b7e656d7210168ade916e46ed
SHA1 210515856852a1563147ce7e86504c6ceede5f27
SHA256 9cfe508ba1049698650251a3ae53bdc78770d77d1bbe6d30653eb5c4fa29acba
SHA512 bb8424b6b60d66db6e021fcc6ab132437addbb196bd1709e855ea184c5dcfdd5aa8c3008c3526dc6f8c475165f18b966766850e758fccdd40bfd04874c6e5c17

memory/1656-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

memory/1656-61-0x00000000003C0000-0x0000000000484000-memory.dmp

memory/1656-62-0x0000000075931000-0x0000000075933000-memory.dmp

memory/1656-63-0x0000000000570000-0x000000000057E000-memory.dmp

memory/1656-64-0x0000000008450000-0x0000000008502000-memory.dmp

memory/1732-65-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-13 08:39

Reported

2023-01-13 08:42

Platform

win10v2004-20220901-en

Max time kernel

141s

Max time network

147s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 3852 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2224 wrote to memory of 3852 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2224 wrote to memory of 3800 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2224 wrote to memory of 3800 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2224 wrote to memory of 3800 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.128.233:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 209.197.3.8:80 tcp
N/A 20.189.173.5:443 tcp
N/A 104.80.225.205:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 13.107.42.16:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/3852-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js

MD5 bc7e3f3b7e656d7210168ade916e46ed
SHA1 210515856852a1563147ce7e86504c6ceede5f27
SHA256 9cfe508ba1049698650251a3ae53bdc78770d77d1bbe6d30653eb5c4fa29acba
SHA512 bb8424b6b60d66db6e021fcc6ab132437addbb196bd1709e855ea184c5dcfdd5aa8c3008c3526dc6f8c475165f18b966766850e758fccdd40bfd04874c6e5c17

memory/3800-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 2b7f757f0a02ced496481020f0b8f1eb
SHA1 21f11c5f725648d27af684ecff61c3ef7ecbcba3
SHA256 e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9
SHA512 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7

memory/3800-137-0x0000000000E70000-0x0000000000F34000-memory.dmp

memory/3800-138-0x0000000007D90000-0x0000000007DF6000-memory.dmp

memory/3800-139-0x00000000092B0000-0x00000000092D2000-memory.dmp

memory/3800-140-0x0000000003190000-0x000000000319A000-memory.dmp

memory/3800-141-0x00000000031C0000-0x00000000031D2000-memory.dmp