Malware Analysis Report

2024-11-30 15:45

Sample ID 230118-a8bwrsca99
Target 98e3648add4ab0724ebeb54eb720e8ad97ad52b0
SHA256 9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b
Tags
vjw0rm spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b

Threat Level: Known bad

The file 98e3648add4ab0724ebeb54eb720e8ad97ad52b0 was found to be: Known bad.

Malicious Activity Summary

vjw0rm spyware stealer trojan worm

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-18 00:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-18 00:52

Reported

2023-01-18 00:55

Platform

win7-20221111-en

Max time kernel

183s

Max time network

187s

Command Line

C:\Windows\Explorer.EXE

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1112 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 296 set thread context of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 1916 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1520 wrote to memory of 1916 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1520 wrote to memory of 1916 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1520 wrote to memory of 1112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1520 wrote to memory of 1112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1520 wrote to memory of 1112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1520 wrote to memory of 1112 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1244 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 296 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 296 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 296 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 296 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.ambilis.com udp
N/A 199.59.243.222:80 www.ambilis.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 199.59.243.222:80 www.ambilis.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 8.8.8.8:53 theedenpublicschool.com udp
N/A 162.214.81.26:80 theedenpublicschool.com tcp
N/A 8.8.8.8:53 www.ecomicsvilla.com udp
N/A 198.252.102.191:80 www.ecomicsvilla.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 198.252.102.191:80 www.ecomicsvilla.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.boltag.xyz udp
N/A 199.192.31.98:80 www.boltag.xyz tcp
N/A 199.192.31.98:80 www.boltag.xyz tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.f1253.com udp
N/A 34.92.178.239:80 www.f1253.com tcp
N/A 34.92.178.239:80 www.f1253.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.pushpaholidays.com udp
N/A 216.239.38.21:80 www.pushpaholidays.com tcp

Files

memory/1916-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js

MD5 90c052e2282de1c12470fc54d62681d9
SHA1 ea069b254dde1f6cad46afedf55c69d4516a0d7a
SHA256 be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097
SHA512 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7

memory/1112-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

memory/1916-58-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

memory/1112-59-0x00000000010A0000-0x00000000010CF000-memory.dmp

memory/1112-60-0x00000000010A0000-0x00000000010CF000-memory.dmp

memory/1112-61-0x00000000008D0000-0x0000000000BD3000-memory.dmp

memory/1112-62-0x00000000000B0000-0x00000000000C0000-memory.dmp

memory/1244-63-0x0000000004830000-0x0000000004929000-memory.dmp

memory/296-64-0x0000000000000000-mapping.dmp

memory/1112-65-0x00000000010A0000-0x00000000010CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

memory/296-67-0x000000004A070000-0x000000004A0BC000-memory.dmp

memory/296-68-0x0000000000080000-0x00000000000AD000-memory.dmp

memory/296-69-0x0000000001F30000-0x0000000002233000-memory.dmp

memory/296-70-0x0000000001CF0000-0x0000000001D7F000-memory.dmp

memory/1244-71-0x0000000006D60000-0x0000000006E37000-memory.dmp

memory/296-72-0x00000000753F1000-0x00000000753F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\sqlite3.dll

MD5 00a91261929192a7facc32a9f330029a
SHA1 7df4ffdf48a6df0bac21a82d6db56aa11db470dc
SHA256 c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f
SHA512 18a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e

memory/1244-74-0x0000000006D60000-0x0000000006E37000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-18 00:52

Reported

2023-01-18 00:55

Platform

win10v2004-20221111-en

Max time kernel

187s

Max time network

188s

Command Line

C:\Windows\Explorer.EXE

Signatures

Vjw0rm

trojan worm vjw0rm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4152 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 5112 set thread context of 2532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 1884 -ip 1884

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1884 -s 116

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 72.21.91.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 40.79.189.58:443 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
N/A 8.8.8.8:53 www.ambilis.com udp
N/A 199.59.243.222:80 www.ambilis.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 www.theedenpublicschool.com udp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 162.214.81.26:80 www.theedenpublicschool.com tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp
N/A 194.5.98.109:5443 javaautorun.duia.ro tcp

Files

memory/1684-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js

MD5 90c052e2282de1c12470fc54d62681d9
SHA1 ea069b254dde1f6cad46afedf55c69d4516a0d7a
SHA256 be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097
SHA512 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7

memory/4152-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 f9fdfca55156f35ea48a17947d091f4d
SHA1 15f10040cf10535deed5ca028150ed847a585d01
SHA256 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0
SHA512 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

memory/4152-137-0x0000000000760000-0x000000000078F000-memory.dmp

memory/4152-138-0x0000000000D50000-0x000000000109A000-memory.dmp

memory/4152-139-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2532-140-0x0000000007450000-0x000000000756E000-memory.dmp

memory/5112-141-0x0000000000000000-mapping.dmp

memory/4152-142-0x0000000000760000-0x000000000078F000-memory.dmp

memory/2532-143-0x0000000007450000-0x000000000756E000-memory.dmp

memory/5112-145-0x0000000000770000-0x000000000079D000-memory.dmp

memory/5112-144-0x0000000000440000-0x0000000000454000-memory.dmp

memory/5112-146-0x0000000002870000-0x0000000002BBA000-memory.dmp

memory/5112-147-0x0000000002690000-0x000000000271F000-memory.dmp

memory/2532-148-0x0000000008650000-0x0000000008754000-memory.dmp

memory/5112-149-0x0000000000770000-0x000000000079D000-memory.dmp

memory/2532-150-0x0000000008650000-0x0000000008754000-memory.dmp