Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    01/10/2021, 10:33

General

  • Target

    Scan0032.js

  • Size

    1.1MB

  • MD5

    126c1417ab24cd6b4bf8889a5254ae18

  • SHA1

    b9465bbe07f047f063f8e2a2e3dba87181fceac6

  • SHA256

    bd1b9e3102b57857d294df0339682f25e2ccb17d0665c77dfefe6565a68f85ff

  • SHA512

    bca88a55671be0e903f9ddaa9002dc37ba0c97f7c15431f09069c3740c41e5702fafa900bdaf0a0d436fc6bd50c669e4a22a70ac28b909ddc98726da24959a55

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 5 IoCs

    Uses user-agent string associated with script host/environment.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan0032.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads