Malware Analysis Report

2025-04-14 08:30

Sample ID 220121-3ahkwacfb4
Target b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd
SHA256 b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd

Threat Level: Known bad

The file b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 23:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 23:18

Reported

2022-01-22 00:17

Platform

win7-en-20211208

Max time kernel

158s

Max time network

160s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\GH2-19062016_PO_TOP URGENT.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 1644 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 812 wrote to memory of 1644 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 812 wrote to memory of 1644 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\GH2-19062016_PO_TOP URGENT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ghostwsh4191.ddns.net udp
US 8.8.8.8:53 unknownsoft.duckdns.org udp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp

Files

memory/812-55-0x0000000003FB0000-0x0000000003FB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js

MD5 018f2941af58337d85db9b0720be1eb2
SHA1 b55e33bf1763c1424960c5d27e5ce5a9dd12b0f6
SHA256 01002e1147978d69e578423c67e0f252c2918949b4c2442ba9342cf2a34545d4
SHA512 851ad74b58b4b24b756beae67f62d9aa3159ce1309aaf79b6112029339a46ad604cf46aa8535f7fcce0770014da57edfe0931daa5532f6da5bc6ba32664dd7f4

memory/1644-57-0x0000000004270000-0x00000000047C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-21 23:18

Reported

2022-01-22 00:16

Platform

win10-en-20211208

Max time kernel

151s

Max time network

164s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\GH2-19062016_PO_TOP URGENT.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 988 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2424 wrote to memory of 988 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\GH2-19062016_PO_TOP URGENT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ghostwsh4191.ddns.net udp
US 8.8.8.8:53 unknownsoft.duckdns.org udp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 184.105.237.199:4191 ghostwsh4191.ddns.net tcp

Files

memory/2424-122-0x0000020771410000-0x0000020772100000-memory.dmp

C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js

MD5 018f2941af58337d85db9b0720be1eb2
SHA1 b55e33bf1763c1424960c5d27e5ce5a9dd12b0f6
SHA256 01002e1147978d69e578423c67e0f252c2918949b4c2442ba9342cf2a34545d4
SHA512 851ad74b58b4b24b756beae67f62d9aa3159ce1309aaf79b6112029339a46ad604cf46aa8535f7fcce0770014da57edfe0931daa5532f6da5bc6ba32664dd7f4

memory/988-140-0x0000014F97B3B000-0x0000014F98760000-memory.dmp