wshrat | fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js
Size

7KB
MD5

8a006c1466998c2bde5fa110296bf4da
SHA1

38f5819efe2bfece434ff9de7ce327ad1dab920a
SHA256

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05
SHA512

f90be849f383d9919c8463b4041d1e89a4de5e47cf9ef1dcb21f8af0d326857ce45e75c7100aed1c217b885a077001cfa50bb7489144f5f010e84b20c3d19ece
SSDEEP

96:p8KvZU3TRRkyPWXsy7jZRZcmq74qe0tJLgy0c15Q:rsTRAL/ure0tFgc8

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

Processes:

wscript.exeWScript.exe

flow	pid	process
5	2188	wscript.exe
7	2188	wscript.exe
10	2740	WScript.exe
11	2740	WScript.exe
12	2740	WScript.exe
14	2740	WScript.exe
17	2740	WScript.exe
18	2740	WScript.exe
20	2740	WScript.exe
21	2740	WScript.exe
22	2740	WScript.exe
24	2740	WScript.exe
25	2740	WScript.exe
26	2740	WScript.exe
28	2740	WScript.exe
29	2740	WScript.exe
30	2740	WScript.exe
32	2740	WScript.exe
33	2740	WScript.exe
34	2740	WScript.exe
36	2740	WScript.exe
37	2740	WScript.exe
38	2740	WScript.exe
40	2740	WScript.exe
41	2740	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HTJAHZ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HTJAHZ.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HTJAHZ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HTJAHZ.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTJAHZ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HTJAHZ.js\""	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Script User-Agent 23 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	12	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	17	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	22	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	32	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	34	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	36	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	40	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	11	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	24	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	25	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	28	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	37	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	38	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	41	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	14	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	21	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	26	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	29	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	10	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	18	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	20	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	30	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	33	WSHRAT\|98A703FB\|UIBNQNMA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/5/2024\|JavaScript

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2188 wrote to memory of 2740	2188	wscript.exe	WScript.exe
PID 2188 wrote to memory of 2740	2188	wscript.exe	WScript.exe
PID 2188 wrote to memory of 2740	2188	wscript.exe	WScript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HTJAHZ.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HTJAHZ.js
Filesize
305KB

MD5
e46b574e60419cc1211889c5334d9ad1

SHA1
7a8dc97591e63ad2c8d95e4ff10db8a154921114

SHA256
19d3f805b1b14e5b30cb12595d980479490079e7b8b44e392d3dc89373aa6cd3

SHA512
a547c6f5cffcd2fb1cb05617cb642e2125ab7cd1fb11cfed72aa3cb4ce151b1bf73b9ef73905e6d9b1654a5d24e5f9cb76504e388489c8c663fb62b9494b6c39

Download Submit