wshrat | 711cde8967739737b59a8ea4a2f3105611b27ea839e7289baedd7840059d4797

Resubmissions

21-06-2024 12:37

240621-ptjematemr 3

21-06-2024 12:08

21-06-2024 12:05

21-06-2024 12:05

21-06-2024 12:05

21-06-2024 06:25

13-06-2024 04:58

Analysis

max time kernel
34s
max time network
34s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax Returns of R48_765.js
Size

957KB
MD5

0f597e6821a29bc87b36222f08eff311
SHA1

e7f24cd04de9b92c013d71d3de526461cfb33c91
SHA256

df018cc7e708b47edfe4f39769058ce0ba10a65fe653d3a32412dd504d3f2028
SHA512

693ed1331f7f048789c11bc661949519149c43e3a76b3b600a1990f74763500a6b4a5efb532921bcdb58b27f3a136af9ba63e2e1dce4094fe078076d0073f1a7
SSDEEP

6144:QQ5C90ha3hcY0c5OyZD5i8frkU+uKCbbBGZs3xh527wIy+6Y16vLKdYoiAL1Xl4R:TKF

Score

10^/10

wshrat execution trojan

Malware Config

Extracted

Family

wshrat

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exe

flow pid process

4 2612 wscript.exe
6 2612 wscript.exe
8 2612 wscript.exe
9 2612 wscript.exe
11 2612 wscript.exe
12 2612 wscript.exe
13 2612 wscript.exe

flow	pid	process
4	2612	wscript.exe
6	2612	wscript.exe
8	2612	wscript.exe
9	2612	wscript.exe
11	2612	wscript.exe
12	2612	wscript.exe
13	2612	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	ip-api.com

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	11	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	12	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	13	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	6	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	9	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/5/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3028 wrote to memory of 2612	3028	wscript.exe	wscript.exe
PID 3028 wrote to memory of 2612	3028	wscript.exe	wscript.exe
PID 3028 wrote to memory of 2612	3028	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R48_765.js"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R48_765.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js
Filesize
896KB

MD5
bc801f212554c9679e5610f790edbba1

SHA1
c6578e9c9c3805196f9060393c3730de99d05940

SHA256
23127bf2384c9eef48c568566fa78cd5da9482b2005e0e6cdd39a12f41e3c677

SHA512
4be8c7898250b6fa04b8cad09a80073d414a324ac33fd8bea43e30ee2f4ff84ba839e694cbd424fa6ef5c7b7c00efed780f80bd120891b5121103e07196f9e27

Download Submit
C:\Users\Admin\AppData\Roaming\Tax Returns of R48_765.js
Filesize
957KB

MD5
0f597e6821a29bc87b36222f08eff311

SHA1
e7f24cd04de9b92c013d71d3de526461cfb33c91

SHA256
df018cc7e708b47edfe4f39769058ce0ba10a65fe653d3a32412dd504d3f2028

SHA512
693ed1331f7f048789c11bc661949519149c43e3a76b3b600a1990f74763500a6b4a5efb532921bcdb58b27f3a136af9ba63e2e1dce4094fe078076d0073f1a7

Download Submit