Malware Analysis Report

2024-11-15 08:04

Sample ID 230310-jr5bescc39
Target done.js
SHA256 3159c56b3356b34ef102b3163864b9be2c73ad0600d283c757bbe68a9b2001e1
Tags
vjw0rm trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3159c56b3356b34ef102b3163864b9be2c73ad0600d283c757bbe68a9b2001e1

Threat Level: Known bad

The file done.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-10 07:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-10 07:55

Reported

2023-03-10 07:57

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\done.js

Signatures

Vjw0rm

trojan worm vjw0rm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 1424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 904 wrote to memory of 1424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 904 wrote to memory of 1424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 904 wrote to memory of 1920 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 904 wrote to memory of 1920 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 904 wrote to memory of 1920 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\done.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\done.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
NL 84.21.172.33:8895 84.21.172.33 tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js

MD5 4083302483805e12c18b4af0fea38f90
SHA1 39cf040ed83a60b03b589f8fb4a0a7eb4e7ed94a
SHA256 4466a41c5a4186418db1344742285a9c0fa2535b7190993e9b071a273e800800
SHA512 4f8759dec93ff19dc14ae02bea6e8c9592da20569f62e1a34b435d353b3f1f7b19cd02d1296fd9ac75833a5a1dfdcc713c4cbdba0098e85a6ef5ee6544b818fa

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-10 07:55

Reported

2023-03-10 07:57

Platform

win10v2004-20230221-en

Max time kernel

146s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\done.js

Signatures

Vjw0rm

trojan worm vjw0rm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 1800 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4548 wrote to memory of 1800 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4548 wrote to memory of 2532 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 4548 wrote to memory of 2532 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\done.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\done.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 84.21.172.33:8895 84.21.172.33 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 33.172.21.84.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 52.152.108.96:443 tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 13.89.179.8:443 tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js

MD5 4083302483805e12c18b4af0fea38f90
SHA1 39cf040ed83a60b03b589f8fb4a0a7eb4e7ed94a
SHA256 4466a41c5a4186418db1344742285a9c0fa2535b7190993e9b071a273e800800
SHA512 4f8759dec93ff19dc14ae02bea6e8c9592da20569f62e1a34b435d353b3f1f7b19cd02d1296fd9ac75833a5a1dfdcc713c4cbdba0098e85a6ef5ee6544b818fa