wshrat | fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8

General

Target

sample.js
Size

910KB
MD5

883fa46edf3dfc3d4160faa2704c828e
SHA1

27163d08ca6d045bd9a377cf6e7908c48f986caa
SHA256

fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8
SHA512

dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 13 IoCs

Processes:

wscript.exe

flow	pid	process
6	1740	wscript.exe
8	1740	wscript.exe
9	1740	wscript.exe
10	1740	wscript.exe
12	1740	wscript.exe
13	1740	wscript.exe
14	1740	wscript.exe
16	1740	wscript.exe
17	1740	wscript.exe
18	1740	wscript.exe
20	1740	wscript.exe
21	1740	wscript.exe
22	1740	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
5	ip-api.com

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	9	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	10	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	14	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	16	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	17	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	18	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	20	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	8	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	13	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands
HTTP User-Agent header	22	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/4/2021\|JavaScript-v3.3\|NL:Netherlands

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1996 wrote to memory of 1740	1996	wscript.exe	wscript.exe
PID 1996 wrote to memory of 1740	1996	wscript.exe	wscript.exe
PID 1996 wrote to memory of 1740	1996	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sample.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js
MD5
883fa46edf3dfc3d4160faa2704c828e

SHA1
27163d08ca6d045bd9a377cf6e7908c48f986caa

SHA256
fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8

SHA512
dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09

Download Submit
C:\Users\Admin\AppData\Roaming\sample.js
MD5
883fa46edf3dfc3d4160faa2704c828e

SHA1
27163d08ca6d045bd9a377cf6e7908c48f986caa

SHA256
fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8

SHA512
dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09

Download Submit
memory/1740-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads