wshrat | 0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7
submitted
09-10-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CV Actualis_.bin.exe
Size

1.7MB
MD5

384b434bcfeec7287cf02b7aefa06c52
SHA1

8e2abd5f01f36b38d3674847dff518e7a4eef897
SHA256

0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d
SHA512

a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

Score

10^/10

persistence trojan wshrat discovery

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blacklisted process makes network request 27 IoCs

flow	pid	Process
5	1888	wscript.exe
7	1888	wscript.exe
8	1888	wscript.exe
9	1888	wscript.exe
10	1888	wscript.exe
11	1888	wscript.exe
12	1888	wscript.exe
13	1888	wscript.exe
15	1888	wscript.exe
16	1888	wscript.exe
17	1888	wscript.exe
19	1888	wscript.exe
20	1888	wscript.exe
21	1888	wscript.exe
23	1888	wscript.exe
24	1888	wscript.exe
25	1888	wscript.exe
27	1888	wscript.exe
28	1888	wscript.exe
29	1888	wscript.exe
31	1888	wscript.exe
32	1888	wscript.exe
33	1888	wscript.exe
35	1888	wscript.exe
36	1888	wscript.exe
37	1888	wscript.exe
40	1888	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
1304	InstallSlimPDFReader.exe
1844	InstallSlimPDFReader.tmp
1892	kl-plugin.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js	wscript.exe

Loads dropped DLL 6 IoCs

pid	Process
240	CV Actualis_.bin.exe
1304	InstallSlimPDFReader.exe
1844	InstallSlimPDFReader.tmp
1844	InstallSlimPDFReader.tmp
1844	InstallSlimPDFReader.tmp
1888	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe	CV Actualis_.bin.exe
File opened for modification	C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.js	CV Actualis_.bin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1396	taskkill.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	16	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	29	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	31	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	33	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	37	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	10	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	27	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	36	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	7	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	13	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	15	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	17	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	24	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	8	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	19	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	20	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	25	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	35	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1844	InstallSlimPDFReader.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	kl-plugin.exe
1892	kl-plugin.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	25
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	25
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	25
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	25
PID 1820 wrote to memory of 1888	1820	WScript.exe	26
PID 1820 wrote to memory of 1888	1820	WScript.exe	26
PID 1820 wrote to memory of 1888	1820	WScript.exe	26
PID 1820 wrote to memory of 1888	1820	WScript.exe	26
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	27
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	28
PID 1888 wrote to memory of 1796	1888	wscript.exe	36
PID 1888 wrote to memory of 1796	1888	wscript.exe	36
PID 1888 wrote to memory of 1796	1888	wscript.exe	36
PID 1888 wrote to memory of 1796	1888	wscript.exe	36
PID 1796 wrote to memory of 1396	1796	cmd.exe	38
PID 1796 wrote to memory of 1396	1796	cmd.exe	38
PID 1796 wrote to memory of 1396	1796	cmd.exe	38
PID 1796 wrote to memory of 1396	1796	cmd.exe	38
PID 1888 wrote to memory of 1892	1888	wscript.exe	39
PID 1888 wrote to memory of 1892	1888	wscript.exe	39
PID 1888 wrote to memory of 1892	1888	wscript.exe	39
PID 1888 wrote to memory of 1892	1888	wscript.exe	39

C:\Users\Admin\AppData\Local\Temp\CV Actualis_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\CV Actualis_.bin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Investintech.com Inc.\SlimPDF Reader\InstallSlimPDFReader.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\InstallSlimPDFReader.js"
    3⤵
    - Blacklisted process makes network request
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM kl-plugin.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
  - - C:\Users\Admin\AppData\Roaming\kl-plugin.exe
      "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" blackid-43205.portmap.io 1118 "WSHRAT|F86B013E|AVGLFESB|Admin|Microsoft Windows 7 Professional |plus|nan-av|false - 9/10/2020|JavaScript-v2.0|NL:Netherlands" 1
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1892
- C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe
  "C:\Program Files (x86)\Investintech.com Inc.\SlimPDF Reader\InstallSlimPDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp" /SL5="$300A8,1106375,177152,C:\Program Files (x86)\Investintech.com Inc.\SlimPDF Reader\InstallSlimPDFReader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-17-0x000007FEF7AF0000-0x000007FEF7D6A000-memory.dmp

Filesize
2.5MB

Download
memory/1820-3-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download