Analysis
-
max time kernel
156s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 15:41
General
-
Target
GOE-6.508.pdf.js
-
Size
1.5MB
-
MD5
a35a17d6d986737f8d13c2e7896175b4
-
SHA1
ec1631b83df832f28b20c86b629e0c2862b3334c
-
SHA256
4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
-
SHA512
81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53
Malware Config
Extracted
wshrat
http://111.90.149.115:5200
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT Payload 2 IoCs
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 30 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\GOE-6.508.pdf.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM kl-plugin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\kl-plugin.exe"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" 111.90.149.115 5200 "WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands" 13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
079583d407341726613315054d90c42a
SHA16003dbe6486a771389b135d0df0fcc20d18b3fe6
SHA256d40d608c292bdc6c8181451d7394b8a7f834066e49742be6f655c3284f934b87
SHA512fa1b8b363e728bcecfa4164c866a350f9fa94706b97cff638e962d29a6bfc7f926499fcc24ffbc7e1d70b3a50e5d3523455f71efe84e81bce9e94ae72b787fe8
-
MD5
a35a17d6d986737f8d13c2e7896175b4
SHA1ec1631b83df832f28b20c86b629e0c2862b3334c
SHA2564f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
SHA51281c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53
-
MD5
a35a17d6d986737f8d13c2e7896175b4
SHA1ec1631b83df832f28b20c86b629e0c2862b3334c
SHA2564f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
SHA51281c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53
-
MD5
7099a939fa30d939ccceb2f0597b19ed
SHA137b644ef5722709cd9024a372db4590916381976
SHA256272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA5126e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721
-
MD5
7099a939fa30d939ccceb2f0597b19ed
SHA137b644ef5722709cd9024a372db4590916381976
SHA256272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA5126e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB