wshrat | 3c881e2fb1512cbee7733901141d98c1ba75f107a9438f5ad46b86a3878bfb81 | Triage

Submit
Reports

Overview

overview

Static

static

1

ORDER-2461...-24.js

windows7-x64

ORDER-2461...-24.js

windows10-2004-x64

Sharing

General

Target

ORDER-24617-01667859-24.001
Size

714B
Sample

240617-m96trasbkk
MD5

19a81145c349fca5fe2e220f38efa4f9
SHA1

1af10706ea05b364b9ebfff5269dfdb57aee43b5
SHA256

3c881e2fb1512cbee7733901141d98c1ba75f107a9438f5ad46b86a3878bfb81
SHA512

905ecc05d7779f31eda8ad9ac3bba5ab04e69001976cab1d96b3b4d29cb75f73f34b7c382c2e14ebd93348f020066d12305d396892483c62adcc94bced322e41

Score

10^/10

wshrat execution persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

ORDER-24617-01667859-24.js

Resource

win7-20240611-en

wshrat execution persistence trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

ORDER-24617-01667859-24.js

Resource

win10v2004-20240611-en

wshrat execution persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

wshrat

C2

http://jinvestments.duckdns.org:7044

Targets

- Target
  
  ORDER-24617-01667859-24.js
- Size
  
  7KB
- MD5
  
  f3e6a7eba2bd6ca312768ac1560bad6f
- SHA1
  
  04a683416a38f3c8acf06b64fd5e598a2902f684
- SHA256
  
  7a06aaf3103d9dce60c0c4652fd505c7a8df42c826d486be1973008d1c22c838
- SHA512
  
  4ea84c8c33a0fa6a235f6b5ec620e172a5ea5f4a9f372307ea9e1946d6393326bec448e32cadacb1c444270c973046a09be3c590fb7ae61fcc76999553e03265
- SSDEEP
  
  48:95jUotZH9ZR0/kdlZK8rflZPos9ZPfBjBZfo5CvA7ehZvKoN69ZLi1t16r1SBZ5B:T0/ZYbukAKdrKBXB1XBdi
Score

10^/10

wshrat execution persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

wshratexecutionpersistencetrojan

behavioral2

wshratexecutionpersistencetrojan

© 2018-2024

Terms | Privacy