Malware Analysis Report

2025-04-14 08:31

Sample ID 220201-s4rqjaghaq
Target GOE-6.508.pdf.js
SHA256 4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
Tags
wshrat link pdf persistence suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c

Threat Level: Known bad

The file GOE-6.508.pdf.js was found to be: Known bad.

Malicious Activity Summary

wshrat link pdf persistence suricata trojan

suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

suricata: ET MALWARE WSHRAT CnC Checkin

Wshrat family

WSHRAT

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

WSHRAT Payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

HTTP links in PDF interactive object

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-01 15:41

Signatures

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-01 15:41

Reported

2022-02-01 15:43

Platform

win7-en-20211208

Max time kernel

156s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\GOE-6.508.pdf.js

Signatures

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\kl-plugin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GOE-6.508.pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GOE-6.508.pdf.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOE-6 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GOE-6.508.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOE-6 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GOE-6.508.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOE-6 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GOE-6.508.pdf.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOE-6 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GOE-6.508.pdf.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 308 wrote to memory of 696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 308 wrote to memory of 696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 308 wrote to memory of 696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 696 wrote to memory of 540 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 696 wrote to memory of 540 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 696 wrote to memory of 540 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 696 wrote to memory of 540 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 696 wrote to memory of 1152 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 696 wrote to memory of 1152 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 696 wrote to memory of 1152 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 696 wrote to memory of 1780 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\kl-plugin.exe
PID 696 wrote to memory of 1780 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\kl-plugin.exe
PID 696 wrote to memory of 1780 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\kl-plugin.exe
PID 696 wrote to memory of 1780 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\kl-plugin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\GOE-6.508.pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf.js"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM kl-plugin.exe

C:\Users\Admin\AppData\Roaming\kl-plugin.exe

"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" 111.90.149.115 5200 "WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands" 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
US 8.8.8.8:53 doughnut-snack.live udp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp
MY 111.90.149.115:5200 111.90.149.115 tcp

Files

memory/308-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf.js

MD5 a35a17d6d986737f8d13c2e7896175b4
SHA1 ec1631b83df832f28b20c86b629e0c2862b3334c
SHA256 4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
SHA512 81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GOE-6.508.pdf.js

MD5 a35a17d6d986737f8d13c2e7896175b4
SHA1 ec1631b83df832f28b20c86b629e0c2862b3334c
SHA256 4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
SHA512 81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

memory/540-58-0x0000000076491000-0x0000000076493000-memory.dmp

C:\Users\Admin\AppData\Roaming\GOE-6.508.pdf

MD5 079583d407341726613315054d90c42a
SHA1 6003dbe6486a771389b135d0df0fcc20d18b3fe6
SHA256 d40d608c292bdc6c8181451d7394b8a7f834066e49742be6f655c3284f934b87
SHA512 fa1b8b363e728bcecfa4164c866a350f9fa94706b97cff638e962d29a6bfc7f926499fcc24ffbc7e1d70b3a50e5d3523455f71efe84e81bce9e94ae72b787fe8

C:\Users\Admin\AppData\Roaming\kl-plugin.exe

MD5 7099a939fa30d939ccceb2f0597b19ed
SHA1 37b644ef5722709cd9024a372db4590916381976
SHA256 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA512 6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

C:\Users\Admin\AppData\Roaming\kl-plugin.exe

MD5 7099a939fa30d939ccceb2f0597b19ed
SHA1 37b644ef5722709cd9024a372db4590916381976
SHA256 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA512 6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

memory/1780-63-0x0000000002110000-0x0000000002111000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-01 15:41

Reported

2022-02-01 15:42

Platform

win10v2004-en-20220112

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A