Overview

overview

10

Static

static

1

ORDER-2461...-24.js

windows7-x64

10

ORDER-2461...-24.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-24617-01667859-24.js

  • Size

    7KB

  • MD5

    f3e6a7eba2bd6ca312768ac1560bad6f

  • SHA1

    04a683416a38f3c8acf06b64fd5e598a2902f684

  • SHA256

    7a06aaf3103d9dce60c0c4652fd505c7a8df42c826d486be1973008d1c22c838

  • SHA512

    4ea84c8c33a0fa6a235f6b5ec620e172a5ea5f4a9f372307ea9e1946d6393326bec448e32cadacb1c444270c973046a09be3c590fb7ae61fcc76999553e03265

  • SSDEEP

    48:95jUotZH9ZR0/kdlZK8rflZPos9ZPfBjBZfo5CvA7ehZvKoN69ZLi1t16r1SBZ5B:T0/ZYbukAKdrKBXB1XBdi

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://jinvestments.duckdns.org:7044

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 25 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24617-01667859-24.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HTYBQC.vbs"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HTYBQC.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM kl-plugin.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:556
        • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
          "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" jinvestments.duckdns.org 7044 "WSHRAT|F4850773|EILATWEW|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 6/17/2024|Visual Basic-v2.0|GB:United Kingdom" 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\json[1].json
    Filesize

    297B

    MD5

    be2ba1a8c142b5fa2178396ac67cb7d8

    SHA1

    b7c3d209d9c95d4b67d7ffb3c777d07f398260a5

    SHA256

    1191fa5928ed7ebf51830c0e601a327fb6480e4f35d9f96962c828b5b45ea260

    SHA512

    cca824422ebcc194e96c6af6c66160409b6c4f9e30af387921ad55712fc4316866e7ac3b2806427f7e06e43e99ef56e612738261f8d38fb58ef2758dc13c9204

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HTYBQC.vbs
    Filesize

    832KB

    MD5

    9eb84b410320b27a000a848a1c22b91c

    SHA1

    7b84f1301c73993648f0bdf254f1fc202a12aab8

    SHA256

    f44a15168c937d547a57015ccdf034d5f958fa9e9a159e09730b09acb17124dc

    SHA512

    9ab878e70322df08ebe934e18b30d7b151f49a27ca99fafefa77fdd81ef3ed05700671d0e0dc22842355995fd2c5dc39442d60a9559635eda11ca17194d2d203

    Download Submit
  • C:\Users\Admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\user.config
    Filesize

    1KB

    MD5

    6adab4c76fc078ab342c1543663b25b8

    SHA1

    30f33a9d2ef56dfc9e5f8b48ebb38c5e4503e8c3

    SHA256

    367d9883f14feff7473dd6936c4378e25c1829de2d5e835e767185b8637e5d3a

    SHA512

    5162d86367bf0b02c123835098f5f141d5c36691e7d211684e9fed4b15185690ea3c8d2406d2432899ca64a58fde4743e640950c62480704bdce855a84131339

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
    Filesize

    25KB

    MD5

    7099a939fa30d939ccceb2f0597b19ed

    SHA1

    37b644ef5722709cd9024a372db4590916381976

    SHA256

    272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

    SHA512

    6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

    Download Submit