Overview

overview

10

Static

static

10

GOE-6.508.pdf.js

windows7_x64

10

GOE-6.508.pdf.js

windows10-2004_x64

Analysis

  • max time kernel
    156s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOE-6.508.pdf.js

  • Size

    1.5MB

  • MD5

    a35a17d6d986737f8d13c2e7896175b4

  • SHA1

    ec1631b83df832f28b20c86b629e0c2862b3334c

  • SHA256

    4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c

  • SHA512

    81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

Score
10/10
wshratlinkpdfpersistencesuricatatrojan

Malware Config

Extracted

Family

wshrat

C2

http://111.90.149.115:5200

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT Payload 2 IoCs
  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

    suricata
  • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata
  • Blocklisted process makes network request 30 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Script User-Agent 29 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\GOE-6.508.pdf.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:540
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM kl-plugin.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:532
      • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
        "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" 111.90.149.115 5200 "WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands" 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf
    MD5

    079583d407341726613315054d90c42a

    SHA1

    6003dbe6486a771389b135d0df0fcc20d18b3fe6

    SHA256

    d40d608c292bdc6c8181451d7394b8a7f834066e49742be6f655c3284f934b87

    SHA512

    fa1b8b363e728bcecfa4164c866a350f9fa94706b97cff638e962d29a6bfc7f926499fcc24ffbc7e1d70b3a50e5d3523455f71efe84e81bce9e94ae72b787fe8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf.js
    MD5

    a35a17d6d986737f8d13c2e7896175b4

    SHA1

    ec1631b83df832f28b20c86b629e0c2862b3334c

    SHA256

    4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c

    SHA512

    81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GOE-6.508.pdf.js
    MD5

    a35a17d6d986737f8d13c2e7896175b4

    SHA1

    ec1631b83df832f28b20c86b629e0c2862b3334c

    SHA256

    4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c

    SHA512

    81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
    MD5

    7099a939fa30d939ccceb2f0597b19ed

    SHA1

    37b644ef5722709cd9024a372db4590916381976

    SHA256

    272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

    SHA512

    6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
    MD5

    7099a939fa30d939ccceb2f0597b19ed

    SHA1

    37b644ef5722709cd9024a372db4590916381976

    SHA256

    272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

    SHA512

    6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

    Download Submit
  • memory/308-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/540-58-0x0000000076491000-0x0000000076493000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1780-63-0x0000000002110000-0x0000000002111000-memory.dmp
    Filesize

    4KB

    Download