Malware Analysis Report

2024-11-30 15:45

Sample ID 230120-ygzqhshf54
Target PAYMENT RECEIPT.js
SHA256 6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5

Threat Level: Known bad

The file PAYMENT RECEIPT.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-20 19:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-20 19:46

Reported

2023-01-20 19:48

Platform

win7-20220812-en

Max time kernel

146s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1684 wrote to memory of 952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1684 wrote to memory of 952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VpdWufezad.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp

Files

memory/952-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VpdWufezad.js

MD5 29b7dfa182095ac131dc0fe29ac1114f
SHA1 da5c6968d5c0c93ec8c5c03d6beb846a18f88514
SHA256 182dc31a957357b8f8e6417ff1559ee2d1fe28b4e63a934ca377b3f3805aa479
SHA512 743c692da089edd96c205d62c27fdbe94c4e1b99e275227cb3ce5905a07cf882542425cce20774ac389b2b045270ec0faa4139066ad3f8b100711ca1358c192c

memory/952-56-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-20 19:46

Reported

2023-01-20 19:48

Platform

win10v2004-20221111-en

Max time kernel

151s

Max time network

156s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"

Signatures

Vjw0rm

trojan worm vjw0rm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 4224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1300 wrote to memory of 4224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VpdWufezad.js"

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 40.77.2.164:443 tcp
N/A 104.80.225.205:443 tcp
N/A 52.168.117.170:443 tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp

Files

memory/4224-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VpdWufezad.js

MD5 29b7dfa182095ac131dc0fe29ac1114f
SHA1 da5c6968d5c0c93ec8c5c03d6beb846a18f88514
SHA256 182dc31a957357b8f8e6417ff1559ee2d1fe28b4e63a934ca377b3f3805aa479
SHA512 743c692da089edd96c205d62c27fdbe94c4e1b99e275227cb3ce5905a07cf882542425cce20774ac389b2b045270ec0faa4139066ad3f8b100711ca1358c192c