wshrat | 3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de

General

Target

receipt.js
Size

210KB
MD5

0d18f9a0a1605a34247be8918dd3d360
SHA1

1046c9c221468b1a8725d9e958ddf20b0ec3a6c1
SHA256

3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de
SHA512

cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\receipt.js	family_wshrat
C:\Users\Admin\AppData\Roaming\receipt.js	family_wshrat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js	family_wshrat

Blocklisted process makes network request 29 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
7	740	wscript.exe
8	740	wscript.exe
9	4056	wscript.exe
10	4056	wscript.exe
12	4056	wscript.exe
13	4056	wscript.exe
19	4056	wscript.exe
23	4056	wscript.exe
24	4056	wscript.exe
25	4056	wscript.exe
26	4056	wscript.exe
27	4056	wscript.exe
29	4056	wscript.exe
30	4056	wscript.exe
31	4056	wscript.exe
32	4056	wscript.exe
33	4056	wscript.exe
34	4056	wscript.exe
35	4056	wscript.exe
37	4056	wscript.exe
38	4056	wscript.exe
39	4056	wscript.exe
40	4056	wscript.exe
41	4056	wscript.exe
44	4056	wscript.exe
45	4056	wscript.exe
47	4056	wscript.exe
48	4056	wscript.exe
49	4056	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\receipt.js\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
11	ip-api.com

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description pid process target process

PID 740 wrote to memory of 4056 740 wscript.exe wscript.exe
PID 740 wrote to memory of 4056 740 wscript.exe wscript.exe

description	pid	process	target process
PID 740 wrote to memory of 4056	740	wscript.exe	wscript.exe
PID 740 wrote to memory of 4056	740	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\receipt.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\receipt.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\receipt.js
MD5
0d18f9a0a1605a34247be8918dd3d360

SHA1
1046c9c221468b1a8725d9e958ddf20b0ec3a6c1

SHA256
3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de

SHA512
cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011

Download Submit
C:\Users\Admin\AppData\Roaming\receipt.js
MD5
0d18f9a0a1605a34247be8918dd3d360

SHA1
1046c9c221468b1a8725d9e958ddf20b0ec3a6c1

SHA256
3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de

SHA512
cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011

Download Submit
C:\Users\Admin\AppData\Roaming\receipt.js
MD5
0d18f9a0a1605a34247be8918dd3d360

SHA1
1046c9c221468b1a8725d9e958ddf20b0ec3a6c1

SHA256
3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de

SHA512
cc32e93e876ff536475cec9a0ceea4014d443b994dfe4c7be899745c15001ed86d6dc66e79fc281af0d1b4acaa35cb7f2c30df7f1f48a2cb6fbc8d79c35d7011

Download Submit
memory/4056-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads