Malware Analysis Report

2025-01-18 12:21

Sample ID 221104-jm9eksdbh7
Target payment.js
SHA256 d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6

Threat Level: Known bad

The file payment.js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-04 07:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-04 07:48

Reported

2022-11-04 07:50

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 1872 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 544 wrote to memory of 1872 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 544 wrote to memory of 1872 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"

Network

Country Destination Domain Proto
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp

Files

memory/544-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

memory/1872-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\payment.js

MD5 b3d68dd5492fa261df75900cc205205f
SHA1 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256 d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA512 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js

MD5 b3d68dd5492fa261df75900cc205205f
SHA1 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256 d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA512 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-04 07:48

Reported

2022-11-04 07:50

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4612 wrote to memory of 1556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4612 wrote to memory of 1556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"

Network

Country Destination Domain Proto
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 tcp
US 93.184.221.240:80 tcp
DE 20.52.64.200:443 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 212.193.30.230 tcp
NL 212.193.30.230:7780 tcp

Files

memory/1556-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\payment.js

MD5 b3d68dd5492fa261df75900cc205205f
SHA1 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256 d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA512 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js

MD5 b3d68dd5492fa261df75900cc205205f
SHA1 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256 d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA512 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0