Analysis

  • max time kernel
    147s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14/10/2021, 14:20

General

  • Target

    Scan00311.js

  • Size

    1.0MB

  • MD5

    bf18cc77e2a0faa638f7524f6a886b8e

  • SHA1

    5c4882c7f9f64a8dee77fb9a0ebfb6dbd4376eff

  • SHA256

    91af9a9dbea4d8d9c979b72dc3dcedc77fef6f5f91f514e0ccc1e338b535d89f

  • SHA512

    a2e13d00a5ded012a84301b6399fa0ec2158a2301c781a4540fe07fe6679574d33e15f660ea7a1e821148feda1b5ed29ad88a15e403b7961d915c0960c7c8d6c

Malware Config

Extracted

Family

wshrat

C2

http://147.182.241.104:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

  • Blocklisted process makes network request 28 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 27 IoCs

    Uses user-agent string associated with script host/environment.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan00311.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads