wshrat | 6e348ed0aac3c01961f86af5fe843e1e1c5d2d977ea62eea7960efbb6a1c78fd

General

Target

Rut.js
Size

412KB
MD5

b90b295157b57ba84dd525b8a0788cea
SHA1

b58705476941038c5c0f4e0604c55276c8fc2096
SHA256

6e348ed0aac3c01961f86af5fe843e1e1c5d2d977ea62eea7960efbb6a1c78fd
SHA512

e291cd979fc2e75c308b4b98fe8f45e3b2ed1bb416825c0b52a588b6b2268695a5d6f4beed6f6817741368691d9acb98bad9229e9166bad023698d0393bd77b4

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exe

flow	pid	process
9	424	wscript.exe
11	424	wscript.exe
19	424	wscript.exe
20	424	wscript.exe
21	424	wscript.exe
22	424	wscript.exe
23	424	wscript.exe
24	424	wscript.exe
25	424	wscript.exe
26	424	wscript.exe
27	424	wscript.exe
28	424	wscript.exe
29	424	wscript.exe
30	424	wscript.exe
31	424	wscript.exe
32	424	wscript.exe
33	424	wscript.exe
34	424	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rut.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rut.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rut = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rut.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rut = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rut.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
8	ip-api.com

Script User-Agent 17 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	19	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	25	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	30	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	11	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	31	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	33	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	22	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	24	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	26	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	27	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	34	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	20	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	29	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 21/4/2021\|JavaScript-v2.0\|NL:Netherlands

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Rut.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads