Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
08-10-2021 10:23
Static task
static1
Behavioral task
behavioral1
Sample
INTERAC Service Request9466544665440.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
INTERAC Service Request9466544665440.js
Resource
win10v20210408
General
-
Target
INTERAC Service Request9466544665440.js
-
Size
3KB
-
MD5
38ecf70cf09d8c499546c01c028dd70f
-
SHA1
d4d57eeb688d2abe1eeae5b0dc142d588246648b
-
SHA256
7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d
-
SHA512
bd92d0a81b6c9b553d11ace0f680f677a727de965703205955c92650ed43fe68f593b228e62d90acafc53e34864e4715eebd877808e2b160ee1d3dfeaf9462bc
Malware Config
Extracted
vjw0rm
http://jswormpeople.duckdns.org:1921
Signatures
-
WSHRAT Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.js family_wshrat C:\Users\Admin\AppData\Roaming\SMHT76PIZC.js family_wshrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js family_wshrat -
Blocklisted process makes network request 25 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1272 wscript.exe 8 1556 wscript.exe 10 1556 wscript.exe 11 1556 wscript.exe 12 1556 wscript.exe 14 1556 wscript.exe 15 1556 wscript.exe 16 1556 wscript.exe 18 1556 wscript.exe 19 1556 wscript.exe 20 1556 wscript.exe 22 1556 wscript.exe 23 1556 wscript.exe 24 1556 wscript.exe 26 1556 wscript.exe 27 1556 wscript.exe 28 1556 wscript.exe 30 1556 wscript.exe 31 1556 wscript.exe 32 1556 wscript.exe 34 1556 wscript.exe 35 1556 wscript.exe 36 1556 wscript.exe 38 1556 wscript.exe 39 1556 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exeWScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js WScript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exeWScript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\K3A8F1X622 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INTERAC Service Request9466544665440.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exeWScript.exedescription pid process target process PID 1272 wrote to memory of 572 1272 wscript.exe schtasks.exe PID 1272 wrote to memory of 572 1272 wscript.exe schtasks.exe PID 1272 wrote to memory of 572 1272 wscript.exe schtasks.exe PID 1272 wrote to memory of 1588 1272 wscript.exe WScript.exe PID 1272 wrote to memory of 1588 1272 wscript.exe WScript.exe PID 1272 wrote to memory of 1588 1272 wscript.exe WScript.exe PID 1588 wrote to memory of 1556 1588 WScript.exe wscript.exe PID 1588 wrote to memory of 1556 1588 WScript.exe wscript.exe PID 1588 wrote to memory of 1556 1588 WScript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SMHT76PIZC.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.jsMD5
e4df266d9763db8663d812ae59e7270a
SHA1375f6f2f16db35bda5290b537da15d30da66609d
SHA256d02f604013705f3784a0a278e77b533612e00dd3fa95770b46bfe897777eb9fd
SHA512901e5d5fc83d15f0106b634ca78e3417a461d8b4d796daccaa963778c8db7f4ac030a5236d8f7f5a7ac7738fb9100496fc1ca2b630bd25d86f1f5a25f0ea69b0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.jsMD5
e4df266d9763db8663d812ae59e7270a
SHA1375f6f2f16db35bda5290b537da15d30da66609d
SHA256d02f604013705f3784a0a278e77b533612e00dd3fa95770b46bfe897777eb9fd
SHA512901e5d5fc83d15f0106b634ca78e3417a461d8b4d796daccaa963778c8db7f4ac030a5236d8f7f5a7ac7738fb9100496fc1ca2b630bd25d86f1f5a25f0ea69b0
-
C:\Users\Admin\AppData\Roaming\SMHT76PIZC.jsMD5
e4df266d9763db8663d812ae59e7270a
SHA1375f6f2f16db35bda5290b537da15d30da66609d
SHA256d02f604013705f3784a0a278e77b533612e00dd3fa95770b46bfe897777eb9fd
SHA512901e5d5fc83d15f0106b634ca78e3417a461d8b4d796daccaa963778c8db7f4ac030a5236d8f7f5a7ac7738fb9100496fc1ca2b630bd25d86f1f5a25f0ea69b0
-
memory/572-54-0x0000000000000000-mapping.dmp
-
memory/1272-53-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1556-58-0x0000000000000000-mapping.dmp
-
memory/1588-55-0x0000000000000000-mapping.dmp