Malware Analysis Report

2024-11-30 15:40

Sample ID 230117-1zc1ksgh48
Target d534da11-be41-4c1b-ab00-ddcf7bc442d0.js
SHA256 26c461c102538e0758dbc3f003850cf7c30760ff2d180dab4759f34e2cd951a1
Tags
vjw0rm collection spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26c461c102538e0758dbc3f003850cf7c30760ff2d180dab4759f34e2cd951a1

Threat Level: Known bad

The file d534da11-be41-4c1b-ab00-ddcf7bc442d0.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm collection spyware stealer trojan worm

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-17 22:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 22:04

Reported

2023-01-17 22:08

Platform

win7-20221111-en

Max time kernel

175s

Max time network

229s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d534da11-be41-4c1b-ab00-ddcf7bc442d0.js

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d534da11-be41-4c1b-ab00-ddcf7bc442d0.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEDrooilsg.js"

C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

"C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1884

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.136.232:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp

Files

memory/432-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PEDrooilsg.js

MD5 2ae3f4bf78428996391b735422d69932
SHA1 c7cabe2cb2488d4dec8c31ec5d3694244f559149
SHA256 c2f18d683b7e47c1758130920b336bdd440c3e879a2175b241b4b5d58e79604d
SHA512 9f95c35cca567fb73fe4164402e5662fbe8839934491cc7e447338235ee4584f0c94ecb4dd1477cf2fe9f931b1a6ce0223f610cae54aab0d3aa789674bb880d8

memory/1508-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

memory/432-59-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

memory/1508-60-0x00000000012B0000-0x0000000001374000-memory.dmp

memory/1508-61-0x0000000075E81000-0x0000000075E83000-memory.dmp

memory/1508-62-0x0000000000A00000-0x0000000000A0E000-memory.dmp

memory/1508-63-0x0000000008570000-0x0000000008622000-memory.dmp

memory/1992-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-17 22:04

Reported

2023-01-17 22:07

Platform

win10v2004-20220901-en

Max time kernel

143s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d534da11-be41-4c1b-ab00-ddcf7bc442d0.js

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEDrooilsg.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Payload (3).exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d534da11-be41-4c1b-ab00-ddcf7bc442d0.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEDrooilsg.js"

C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

"C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"

Network

Country Destination Domain Proto
N/A 52.109.8.45:443 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.137.232:443 discord.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 20.189.173.15:443 tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 2.18.109.224:443 tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp

Files

memory/1628-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PEDrooilsg.js

MD5 2ae3f4bf78428996391b735422d69932
SHA1 c7cabe2cb2488d4dec8c31ec5d3694244f559149
SHA256 c2f18d683b7e47c1758130920b336bdd440c3e879a2175b241b4b5d58e79604d
SHA512 9f95c35cca567fb73fe4164402e5662fbe8839934491cc7e447338235ee4584f0c94ecb4dd1477cf2fe9f931b1a6ce0223f610cae54aab0d3aa789674bb880d8

memory/4808-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

C:\Users\Admin\AppData\Local\Temp\Payload (3).exe

MD5 3e8af9fffb1b980b193508f6a8a8cdc3
SHA1 e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256 ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512 072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

memory/4808-137-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/4808-138-0x0000000006F30000-0x0000000006F96000-memory.dmp

memory/4808-139-0x00000000082F0000-0x0000000008312000-memory.dmp

memory/4808-140-0x00000000082C0000-0x00000000082CA000-memory.dmp

memory/4808-141-0x0000000008730000-0x0000000008742000-memory.dmp