Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 19:32
Static task
static1
Behavioral task
behavioral1
Sample
Rut.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Rut.js
Resource
win10v20210408
General
-
Target
Rut.js
-
Size
412KB
-
MD5
b90b295157b57ba84dd525b8a0788cea
-
SHA1
b58705476941038c5c0f4e0604c55276c8fc2096
-
SHA256
6e348ed0aac3c01961f86af5fe843e1e1c5d2d977ea62eea7960efbb6a1c78fd
-
SHA512
e291cd979fc2e75c308b4b98fe8f45e3b2ed1bb416825c0b52a588b6b2268695a5d6f4beed6f6817741368691d9acb98bad9229e9166bad023698d0393bd77b4
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 9 424 wscript.exe 11 424 wscript.exe 19 424 wscript.exe 20 424 wscript.exe 21 424 wscript.exe 22 424 wscript.exe 23 424 wscript.exe 24 424 wscript.exe 25 424 wscript.exe 26 424 wscript.exe 27 424 wscript.exe 28 424 wscript.exe 29 424 wscript.exe 30 424 wscript.exe 31 424 wscript.exe 32 424 wscript.exe 33 424 wscript.exe 34 424 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rut.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rut.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rut = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rut.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rut = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rut.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 17 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 25 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 28 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 30 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 11 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 21 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 31 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 33 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 22 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 24 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 26 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 27 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 32 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 34 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 20 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 23 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 29 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands