Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    11/10/2021, 06:54

General

  • Target

    Scan00051.js

  • Size

    1006KB

  • MD5

    88cc26a74a561426df5302d399744ffb

  • SHA1

    defaafa787d512c1bd654266bbb052965d225e16

  • SHA256

    4ee22add9e3dfc6d9b5f02f56aeebed5944d7b325196c04d935f8093ba3bc301

  • SHA512

    6f5cd63b18c3646b4052f2e895e9bc69db1829fbbc4e86d228d32bc7188f14b130d4ff8427fdc4aa2aa7730d8813ac169752725da26e84aab65a9b00ad02ab0b

Malware Config

Extracted

Family

wshrat

C2

http://147.182.241.104:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 5 IoCs

    Uses user-agent string associated with script host/environment.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan00051.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:1044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads