wshrat | 852a19d5d6da8e689f90f57ad0765f37f2e47fd89c718eb02af142d0d4de8e97

General

Target

Purchase Order.js
Size

535KB
MD5

c8f59af1220efa3761728c04ed23322a
SHA1

0e2d24b3e0ac2b2782b51cfe772b069268d514ed
SHA256

852a19d5d6da8e689f90f57ad0765f37f2e47fd89c718eb02af142d0d4de8e97
SHA512

c1faf78277158ac4611bd996018959891b2e80a9e7fb40eafe962ee1a98d1ae0ea6977a450209d72c2242be007a55352832a066c6609c6e7458a24be4421ebbe
SSDEEP

384:t2WWKZWWAsg8gbToHWWWWWegHWWWWWztiGuYW+9j9suO5OOaCMOIYDr6LHDWTRtD:U8Y/

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 21 IoCs

flow	pid	Process
4	956	wscript.exe
5	956	wscript.exe
6	956	wscript.exe
8	956	wscript.exe
10	956	wscript.exe
11	956	wscript.exe
13	956	wscript.exe
14	956	wscript.exe
15	956	wscript.exe
17	956	wscript.exe
18	956	wscript.exe
19	956	wscript.exe
21	956	wscript.exe
22	956	wscript.exe
23	956	wscript.exe
25	956	wscript.exe
26	956	wscript.exe
27	956	wscript.exe
29	956	wscript.exe
30	956	wscript.exe
33	956	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Order.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Order.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Order = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\Purchase Order.js'"	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Order = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\Purchase Order.js'"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 20 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	10	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	18	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	22	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	27	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	4	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	14	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	15	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	19	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	26	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	5	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	6	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	17	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	21	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	23	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript
HTTP User-Agent header	25	WSHRAT\|B07A99DC\|VDWSWJJD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 15/2/2023\|JavaScript

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing