Malware Analysis Report

2025-01-18 12:20

Sample ID 221124-jpc46ahg77
Target invoice regulation documentation.JPG.js
SHA256 21933fcbd4c383e82fa9b32f31609e1c6685b763ed5d8258f19862cb2016fcf5
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21933fcbd4c383e82fa9b32f31609e1c6685b763ed5d8258f19862cb2016fcf5

Threat Level: Known bad

The file invoice regulation documentation.JPG.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-24 07:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-24 07:50

Reported

2022-11-24 07:53

Platform

win7-20221111-en

Max time kernel

145s

Max time network

170s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\invoice regulation documentation.JPG.js"

Signatures

WSHRAT

trojan wshrat

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\invoice regulation documentation.JPG.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 goodies.dynamic-dns.net udp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp
N/A 85.208.136.19:1604 goodies.dynamic-dns.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-24 07:50

Reported

2022-11-24 07:51

Platform

win10v2004-20221111-en

Max time network

14s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A