Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
08/10/2021, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
INTERAC Service Request9466544665440.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
INTERAC Service Request9466544665440.js
Resource
win10v20210408
General
-
Target
INTERAC Service Request9466544665440.js
-
Size
3KB
-
MD5
38ecf70cf09d8c499546c01c028dd70f
-
SHA1
d4d57eeb688d2abe1eeae5b0dc142d588246648b
-
SHA256
7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d
-
SHA512
bd92d0a81b6c9b553d11ace0f680f677a727de965703205955c92650ed43fe68f593b228e62d90acafc53e34864e4715eebd877808e2b160ee1d3dfeaf9462bc
Malware Config
Extracted
vjw0rm
http://jswormpeople.duckdns.org:1921
Signatures
-
WSHRAT Payload 3 IoCs
resource yara_rule behavioral1/files/0x00050000000130ab-56.dat family_wshrat behavioral1/files/0x00050000000130d5-59.dat family_wshrat behavioral1/files/0x00050000000130fe-61.dat family_wshrat -
Blocklisted process makes network request 25 IoCs
flow pid Process 5 1272 wscript.exe 8 1556 wscript.exe 10 1556 wscript.exe 11 1556 wscript.exe 12 1556 wscript.exe 14 1556 wscript.exe 15 1556 wscript.exe 16 1556 wscript.exe 18 1556 wscript.exe 19 1556 wscript.exe 20 1556 wscript.exe 22 1556 wscript.exe 23 1556 wscript.exe 24 1556 wscript.exe 26 1556 wscript.exe 27 1556 wscript.exe 28 1556 wscript.exe 30 1556 wscript.exe 31 1556 wscript.exe 32 1556 wscript.exe 34 1556 wscript.exe 35 1556 wscript.exe 36 1556 wscript.exe 38 1556 wscript.exe 39 1556 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMHT76PIZC.js WScript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMHT76PIZC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SMHT76PIZC.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\K3A8F1X622 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INTERAC Service Request9466544665440.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 572 schtasks.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1272 wrote to memory of 572 1272 wscript.exe 28 PID 1272 wrote to memory of 572 1272 wscript.exe 28 PID 1272 wrote to memory of 572 1272 wscript.exe 28 PID 1272 wrote to memory of 1588 1272 wscript.exe 32 PID 1272 wrote to memory of 1588 1272 wscript.exe 32 PID 1272 wrote to memory of 1588 1272 wscript.exe 32 PID 1588 wrote to memory of 1556 1588 WScript.exe 33 PID 1588 wrote to memory of 1556 1588 WScript.exe 33 PID 1588 wrote to memory of 1556 1588 WScript.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js2⤵
- Creates scheduled task(s)
PID:572
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SMHT76PIZC.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SMHT76PIZC.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1556
-
-