Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18/10/2021, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
PO 21.18.0047 -(APPROVAL).js
Resource
win7-en-20210920
General
-
Target
PO 21.18.0047 -(APPROVAL).js
-
Size
45KB
-
MD5
8547af690a9b533d6acd08360f5b18d5
-
SHA1
fe393629e5df70bcfef741a70432af6c6a528b27
-
SHA256
e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a
-
SHA512
7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d
Malware Config
Extracted
wshrat
http://jahblessrtd4ever.home-webserver.de:1604
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 64 IoCs
flow pid Process 8 520 wscript.exe 9 3808 wscript.exe 10 2152 wscript.exe 19 2152 wscript.exe 20 3808 wscript.exe 21 520 wscript.exe 22 2152 wscript.exe 27 2152 wscript.exe 28 520 wscript.exe 29 3808 wscript.exe 30 2152 wscript.exe 31 520 wscript.exe 32 3808 wscript.exe 33 2152 wscript.exe 34 2152 wscript.exe 35 520 wscript.exe 36 3808 wscript.exe 37 2152 wscript.exe 39 2152 wscript.exe 40 520 wscript.exe 41 3808 wscript.exe 42 2152 wscript.exe 43 520 wscript.exe 44 3808 wscript.exe 45 2152 wscript.exe 46 2152 wscript.exe 47 520 wscript.exe 48 3808 wscript.exe 51 2152 wscript.exe 52 2152 wscript.exe 53 520 wscript.exe 54 3808 wscript.exe 55 2152 wscript.exe 56 520 wscript.exe 57 3808 wscript.exe 58 2152 wscript.exe 59 2152 wscript.exe 60 520 wscript.exe 61 3808 wscript.exe 62 2152 wscript.exe 63 520 wscript.exe 64 3808 wscript.exe 65 2152 wscript.exe 66 2152 wscript.exe 67 520 wscript.exe 68 3808 wscript.exe 69 2152 wscript.exe 70 520 wscript.exe 71 3808 wscript.exe 72 2152 wscript.exe 73 2152 wscript.exe 74 520 wscript.exe 75 3808 wscript.exe 76 2152 wscript.exe 77 2152 wscript.exe 78 520 wscript.exe 79 3808 wscript.exe 80 2152 wscript.exe 81 520 wscript.exe 82 3808 wscript.exe 83 2152 wscript.exe 84 2152 wscript.exe 85 520 wscript.exe 86 3808 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 33 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 37 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 39 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 46 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 73 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 83 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 27 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 62 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 69 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 72 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 77 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 19 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 42 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 65 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 84 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 30 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 66 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 76 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 80 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 87 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 51 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 34 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 10 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 52 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 55 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 58 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 22 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 45 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript HTTP User-Agent header 59 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1688 wrote to memory of 3808 1688 wscript.exe 69 PID 1688 wrote to memory of 3808 1688 wscript.exe 69 PID 1688 wrote to memory of 2152 1688 wscript.exe 70 PID 1688 wrote to memory of 2152 1688 wscript.exe 70 PID 2152 wrote to memory of 520 2152 wscript.exe 72 PID 2152 wrote to memory of 520 2152 wscript.exe 72
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO 21.18.0047 -(APPROVAL).js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3808
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO 21.18.0047 -(APPROVAL).js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:520
-
-