Analysis
-
max time kernel
208s -
max time network
212s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
06/04/2025, 16:11
General
-
Target
https://tmpfiles.org/23921300/diddy.arj
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Vjw0rm family
-
Blocklisted process makes network request 13 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 20 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://tmpfiles.org/23921300/diddy.arj"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://tmpfiles.org/23921300/diddy.arj2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27100 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {a0168544-249b-4e31-8238-67add653fec7} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2484 -prefsLen 27136 -prefMapHandle 2488 -prefMapSize 270279 -ipcHandle 2504 -initialChannelId {4c15fdd7-77de-446d-9446-f1788696ec3a} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3976 -prefsLen 25164 -prefMapHandle 3980 -prefMapSize 270279 -jsInitHandle 3984 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3992 -initialChannelId {356ef528-7fb2-4013-9f4e-5af844386edc} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4144 -prefsLen 27277 -prefMapHandle 4148 -prefMapSize 270279 -ipcHandle 4156 -initialChannelId {c2e4c190-5f01-41ba-ba3e-fa8a8838bfa5} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2800 -prefsLen 34776 -prefMapHandle 2948 -prefMapSize 270279 -jsInitHandle 2712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4612 -initialChannelId {9a3382b4-7195-4472-98ce-5f7ce666bee1} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5260 -prefsLen 35013 -prefMapHandle 5256 -prefMapSize 270279 -ipcHandle 5204 -initialChannelId {fb0a3e89-3e93-4597-bda5-484616caacca} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5448 -prefsLen 32900 -prefMapHandle 5452 -prefMapSize 270279 -jsInitHandle 5456 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5356 -initialChannelId {cc88e40d-e811-4d9f-a195-f00955ca0aa8} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5660 -prefsLen 32952 -prefMapHandle 5664 -prefMapSize 270279 -jsInitHandle 5668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5676 -initialChannelId {54187b4e-f0fd-4337-ac65-5f247fa15bf6} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5868 -prefsLen 32952 -prefMapHandle 5872 -prefMapSize 270279 -jsInitHandle 5876 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5464 -initialChannelId {05451c6c-5c58-41ad-af90-817bf56f0e52} -parentPid 2996 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2996" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\diddy\" -ad -an -ai#7zMap9522:72:7zEvent144601⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\diddy\weird\pajilla.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\Downloads\diddy\weird\pajilla.js2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Downloads\diddy\weird\stdpx.exe"C:\Users\Admin\Downloads\diddy\weird\stdpx.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\diddy\weird\pajilla.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\Downloads\diddy\weird\pajilla.js2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\diddy\weird\pajilla.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\Downloads\diddy\weird\pajilla.js2⤵
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD526ed57acbc69eb0d55d63a7735eecea2
SHA192e24a8a5a5ee54f789af2e5b031046a96ad4757
SHA25612e278388854f076091bfba1eb8139841facc82dd7820bbd31c6f3cf1539d5b8
SHA512848d55e3c0839b95430877307b953c74ff3c11d02154c998e8a827f6b7fc056494f7450986ffffaf2a180bc6c88772eff16fddceac890b5c217bfc7d55f210e5
-
Filesize
10KB
MD5f8c7d8f986c1f9c029e5fd6da02257bc
SHA15578c9afc7633c41336793ffb5be074a5dd72597
SHA25621c4784fb8fce93e4a877446e671936a9341ec969cc033497b77d26b30328ac8
SHA512dbadf3a4dc966fe4f273ebe3a324eadc0d547c882e032913ee653d9a0131eb24c4cacedcf042234c622df6971307819ecdb344e95dde329696b1d1db72c8598a
-
Filesize
3KB
MD5102d1b70c743a8e9e42ed6a93949aa18
SHA13bf8c4bf8c636c83b571cb9be3bc23673695652b
SHA256e2805b100bcf65f2a08eab1ead6ef8395a309c82d7542bb71bd66aeed7b15d58
SHA5121da520340b31767f8b5fb5ec854f35df6b92d9478f214671d0c24bd78f9cff9849df81e5dbf6b14a55f30b67693876543fac0ec273c5b412fd5e1f1890e86ce3
-
Filesize
7KB
MD5d93f54d41d8f312ba710a5b29fbb7a12
SHA1dba638fa41a6bb602c47efd6007ab46763b0c96b
SHA2565a2788018dab990533f02e6a64dfe243aaf019f5fa0d0d69785cd63530885f80
SHA51277757a5d658d21bbf4ac683174c85b934355f5f4c192aff77defb908d0b622f3891489581e6a3ee96a6346dcd7faf1e0a968e369ddc1462d12245743a16e545f
-
Filesize
6KB
MD533bda2ea590d9f0a3ec3194e9899edf2
SHA1172d2f3a8467b72eacc8f0264e6f875297779a6b
SHA2561fd3054d640b57aa2d02dc055da9067a8284c14825c89b1ee1cc3253573c0dd3
SHA512c530748cc6e4e577f55b4ddb167543142e5303ddd0b2034336a0966854c23ed6d3192c427d33ed604602ff4fffa151ee5547e9056e04cef0824b5ea95d5131b3
-
Filesize
1KB
MD53e2195b75c93f32d4a801eaf42ab212c
SHA1bc353b0a306941d3f019d4c1b0e73557c0dd92b6
SHA25639a2c7864dacfc03cdf1ecf83ce95507dad5bad97a0288199d3dd0f21a62ffd5
SHA512a0d40128f6491b40f48c39fbf733431f51a57f5b13a10af8368399a592ef5047e6674bb03d01a9d44a149d96dd3460cc0a086a2b2bb0b9be5f7ea57b8a8c9139
-
Filesize
235B
MD560706d44126d471d15c954e840faeca2
SHA12cb8137843d95f9df613d56cc76dbab30bac36cb
SHA2567ef144eb0583a4ba025908bd4df9cd3ca175bdde4e25b02693a35b56b243d98a
SHA51297707c531f1160398296600636e6f29407fd0d7e11ed42cfe73088095dba7d0aed4c6bf772efd05869afbc33334cb87a671a8040101c85d542121cea3e70695d
-
Filesize
17KB
MD50f034fcb7030140c177a610e2e8a51e9
SHA1702c94f878eb3ff2cfa87c3dd5504a0961adb538
SHA256e247612c89dad7b295081fa61c3b086034242a5b62346024d9a47dd69bd30390
SHA5128e4dff00172f018a278b8a6ac32d58ab5274754b1e60d9f4233268effc4ac956d0ac9c174cc4d3398b3e686b874b0b417bb896b8bf8110e6f08c773b1dc9ccb6
-
Filesize
2KB
MD5b12c9bf0e0dee472b0c283daefe32770
SHA1e452bcec4cb6e87f967b43218d6796f5de67a837
SHA25641c8a4f530249d197ba71ff7b0cace4723a1ba6eea0a41c54272f32ce91e3691
SHA512e24d9536755a2cbcbbd5e603fe79c47d43cda76dad7ccbff5a7ca6a3e32b00db4c64b8f28bb2771b7a4aafce26c1402624ad55dee588748a1e74a419a2b39f00
-
Filesize
883B
MD559c5858276120eebe00c9d7519643c0b
SHA132f1c89f31056d80f72c8326535020badea39816
SHA256ed3ce94ae566859ffd7d4b83e1a034318b7747f64b5e8215ee2bf9159d3135c1
SHA51230995351b36a75eaa2e0cb603ce75d9cd8892e13ea2b185b2c86c8e1120ea0c953143ec5cb899f0a0fd21ccdad596bd9ff0ee9fdeb6a9fa1144f1413f489a9a2
-
Filesize
235B
MD541ce15e2299143b5b9426154e1be287b
SHA12679ce54c26ad474eac9f9ec9960cc1a80683e79
SHA2563402d36a40fcb81eaa5f10079ae615914c07ba17b4874cfab4f2b366f6dd2b81
SHA512532eebe2f7d503593e41d8815e031a5fb8db0421dae2ee4dac5bcf456fbbd2361676a6124b1a61680145b253e7d024c44309656a1a49e609c14e6a799b5019b3
-
Filesize
886B
MD5ab7115645f4450bc25d25246e2b98aa2
SHA19397ff933a6440496711a64e369024bae0c121ad
SHA256c1b6da27fb84d621617b20b0ad98481fce47d2709839d148ef4246249bb7ca34
SHA512fab5df91d3fe2040d74a234a476098e92dbaf7ac3024686f99e3342988b55393f9e59e0c08ad1d6fa58968ed56730dbce26c1ff8cd06acaba4f4aadf2a479b70
-
Filesize
6KB
MD5030f59697fbf5ab93cbd2552f72ec452
SHA1508e1070fbc905b010db52c8902a0dfe35d50fdf
SHA256975d2dc7684d5ce83218e69ceca217e114ebb9b3c43b85359e8db0531d1bb4d1
SHA5120620d506ff03856464b9db9b72aa0753b53c5de987d696112eb23a6c027c92f105b5a1ded3a2703f9ff604d6d48d00a11b2490d6b209f99f292123fbcf824cf5
-
Filesize
7KB
MD5e73f012b748c9bc81ea7533e4453606f
SHA119245954fe2b89254634970d815247ff6ec7da98
SHA256825df6bd0041f936fa7afa356a6b711c9114590368bf15d9912e9e574447be79
SHA512bcc93a1bc1b143b7629d20599edf71832f9ec935e8fea54f4896d8d1c0653c512019d45f22a0e90808466ab54bd572e182749d8de89a527d1afae17b432fff51
-
Filesize
6KB
MD53d61541bdf21ea566d48b2db841332c5
SHA1a1882bd5bcf6529a3f6ad2628194675fef1d5c06
SHA256b670269c6d4d1e6915b4ed03329f7c1139c2fbb230c3d840f6acdf4a1765575a
SHA5122d4bba988b8201b0b1a62634548be8dd75ce486524cc0eaa896230ec6f35d6250fd59f63a947396f65c776e37ae3c7ce112d0f935ed398717e639f9a34a61e1a
-
Filesize
6KB
MD5c32521aebe187296d4120e275cb7cae0
SHA1adbdf46fbcbee6aa4110bc0de0c1492fbb7777a5
SHA25623bb97dd9b39fd64e94e0c7608154bb7290b915f053372a754c6e88a6950b714
SHA512c35568bdc29eddb752d7063f411b352babb8d6f45c2123a8d9d326f99fbfe7c7cba83f965127ef4bbd770d777111579dbfacff5e637eb5ac05209f0a88c89298
-
Filesize
8.6MB
MD57cdf0bd0fc28087b46fb90baf1a7364a
SHA1646a1f03a00cc98c17c954eaef9cb95012752003
SHA2565eaad41a43d5b8fd135d070808bec7d12812efe0bafeda1c3d0d83cdb5efc2dd
SHA512f3b1ec7dfcd0548d427185af3af09ba579ee8cee6510e0cfe4e018736f7802f37263e753a9d75001f480601952947564a0fbf36a45c7cbb7a3836eecff51e2a8
-
Filesize
11KB
MD5ffc3b6d64ad2b18d139f02dfca4b82e0
SHA15e93a7f4e1bc9f3fb2b467cf4de3879022c07682
SHA256180264bc01ddae4f3a4f47085ea6840997d06d763d6d71ef586312c66d5971c8
SHA5128c9f797ece08ea026edcd392c8adaa67f55c3fbca50b7af39d67839e5e1887ce1768b07a148d36e4a9bdcbf941831f28510b139e04153c05c9c77d071a241a9a
-
Filesize
8.6MB
MD5c1aa8e20d0fe88e189fd5d060b448a4b
SHA1d9fb786acd9c4ab7c75630c246305719bfe47eb6
SHA25645529590edd3a3e2accc947aa3ba80b0cd10ff0c0a40127145ba4f167e50c292
SHA512b301f90c7f125d56e9c53ef25845e4f1c3ec4249842196f00b40a59c4b2e127faa96fd38f32cda65f4c9b5fb8423c4c74f17e1ccee1ca3158b7d3cfed504ca29
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
16.9MB
-
Filesize
5.6MB
-
Filesize
16.9MB