Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
11/10/2021, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
Scan00051.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Scan00051.js
Resource
win10-en-20210920
General
-
Target
Scan00051.js
-
Size
1006KB
-
MD5
88cc26a74a561426df5302d399744ffb
-
SHA1
defaafa787d512c1bd654266bbb052965d225e16
-
SHA256
4ee22add9e3dfc6d9b5f02f56aeebed5944d7b325196c04d935f8093ba3bc301
-
SHA512
6f5cd63b18c3646b4052f2e895e9bc69db1829fbbc4e86d228d32bc7188f14b130d4ff8427fdc4aa2aa7730d8813ac169752725da26e84aab65a9b00ad02ab0b
Malware Config
Extracted
wshrat
http://147.182.241.104:7121
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 7 IoCs
flow pid Process 3 1044 wscript.exe 7 1044 wscript.exe 8 1044 wscript.exe 9 1044 wscript.exe 10 1044 wscript.exe 11 1044 wscript.exe 13 1044 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00051.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00051.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00051 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan00051.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan00051 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan00051.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 8 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 10 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)