Malware Analysis Report

2024-11-30 15:45

Sample ID 230120-ygzqhsbe5w
Target SHIPPING DOC MBL No - DBA0280069.js
SHA256 947e1f1f0903f66206d335fa3d1774b06305c9f2e3cb12a725e60d12de40d54e
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

947e1f1f0903f66206d335fa3d1774b06305c9f2e3cb12a725e60d12de40d54e

Threat Level: Known bad

The file SHIPPING DOC MBL No - DBA0280069.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-20 19:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-20 19:46

Reported

2023-01-20 19:48

Platform

win7-20221111-en

Max time kernel

151s

Max time network

157s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC MBL No - DBA0280069.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdRZNzCDhD.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdRZNzCDhD.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1336 wrote to memory of 660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1336 wrote to memory of 660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC MBL No - DBA0280069.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\vdRZNzCDhD.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp

Files

memory/660-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vdRZNzCDhD.js

MD5 684279c92303f5c020fbdfe49148b4b3
SHA1 8dbca5701c2b410a30f65fca299dbcdc85d594a8
SHA256 cd2dbd8e61696334f284b70348ac2cea921ee208d7138cd09d63d85a70ce309d
SHA512 00daff59f643f8f8a8005eb24e6060191b96672ebf380d9e8499aca044d78c95ee759ac9ad30e739080aaa48a9cb232a488cd9054f24bce32d9f636714425ba0

memory/660-56-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-20 19:46

Reported

2023-01-20 19:48

Platform

win10v2004-20221111-en

Max time kernel

147s

Max time network

155s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC MBL No - DBA0280069.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdRZNzCDhD.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vdRZNzCDhD.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 4812 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1848 wrote to memory of 4812 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC MBL No - DBA0280069.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\vdRZNzCDhD.js"

Network

Country Destination Domain Proto
N/A 52.109.13.62:443 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 52.182.143.211:443 tcp
N/A 104.80.225.205:443 tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 87.248.202.1:80 tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp

Files

memory/4812-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vdRZNzCDhD.js

MD5 684279c92303f5c020fbdfe49148b4b3
SHA1 8dbca5701c2b410a30f65fca299dbcdc85d594a8
SHA256 cd2dbd8e61696334f284b70348ac2cea921ee208d7138cd09d63d85a70ce309d
SHA512 00daff59f643f8f8a8005eb24e6060191b96672ebf380d9e8499aca044d78c95ee759ac9ad30e739080aaa48a9cb232a488cd9054f24bce32d9f636714425ba0