Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
01/10/2021, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
Scan0032.js
Resource
win7-en-20210920
General
-
Target
Scan0032.js
-
Size
1.1MB
-
MD5
126c1417ab24cd6b4bf8889a5254ae18
-
SHA1
b9465bbe07f047f063f8e2a2e3dba87181fceac6
-
SHA256
bd1b9e3102b57857d294df0339682f25e2ccb17d0665c77dfefe6565a68f85ff
-
SHA512
bca88a55671be0e903f9ddaa9002dc37ba0c97f7c15431f09069c3740c41e5702fafa900bdaf0a0d436fc6bd50c669e4a22a70ac28b909ddc98726da24959a55
Malware Config
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 7 IoCs
flow pid Process 2 1696 wscript.exe 6 1696 wscript.exe 7 1696 wscript.exe 8 1696 wscript.exe 9 1696 wscript.exe 11 1696 wscript.exe 13 1696 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0032.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0032.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan0032 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan0032.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0032 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan0032.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands