wshrat | bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299

General

Target

Payment proof.js
Size

1003KB
MD5

9e733fa24be87845ac6194184afb59a2
SHA1

962dfe219a3892d2ad653ddd29c2473664fec69f
SHA256

bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299
SHA512

ff405ea9375bda5c2f8a512d6c8364f912a8c6f0147ac59d47c025a89b1dbb5471a3a7a9bab8ffa313097aa074d302c7b00be6575f77d0922843fcac0d08ea09
SSDEEP

3072:GQueMnqPJqQSV4dWCMwGpAstU60gzxuxJ0ILpj4jYfc:GQueMnqPJqQSV4dWCMxU60gzxurG

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
16	3904	wscript.exe
19	3904	wscript.exe
35	3904	wscript.exe
42	3904	wscript.exe
43	3904	wscript.exe
44	3904	wscript.exe
47	3904	wscript.exe
48	3904	wscript.exe
49	3904	wscript.exe
54	3904	wscript.exe
56	3904	wscript.exe
58	3904	wscript.exe
60	3904	wscript.exe
62	3904	wscript.exe
63	3904	wscript.exe
64	3904	wscript.exe
67	3904	wscript.exe
69	3904	wscript.exe
70	3904	wscript.exe
73	3904	wscript.exe
74	3904	wscript.exe
75	3904	wscript.exe
77	3904	wscript.exe
79	3904	wscript.exe
80	3904	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment proof.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment proof.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	62	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	63	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	64	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	67	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	35	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	49	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	54	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	73	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	80	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	44	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	48	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	74	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	77	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	47	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	58	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	70	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	79	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	69	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	75	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	42	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	43	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	56	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	60	WSHRAT\|10B1D74F\|TLGENAJY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/4/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3904	400	wscript.exe	84
PID 400 wrote to memory of 3904	400	wscript.exe	84

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment proof.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Payment proof.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment proof.js

Filesize
1003KB

MD5
9e733fa24be87845ac6194184afb59a2

SHA1
962dfe219a3892d2ad653ddd29c2473664fec69f

SHA256
bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299

SHA512
ff405ea9375bda5c2f8a512d6c8364f912a8c6f0147ac59d47c025a89b1dbb5471a3a7a9bab8ffa313097aa074d302c7b00be6575f77d0922843fcac0d08ea09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment proof.js

Filesize
1003KB

MD5
9e733fa24be87845ac6194184afb59a2

SHA1
962dfe219a3892d2ad653ddd29c2473664fec69f

SHA256
bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299

SHA512
ff405ea9375bda5c2f8a512d6c8364f912a8c6f0147ac59d47c025a89b1dbb5471a3a7a9bab8ffa313097aa074d302c7b00be6575f77d0922843fcac0d08ea09

Download Submit
C:\Users\Admin\AppData\Roaming\Payment proof.js

Filesize
1003KB

MD5
9e733fa24be87845ac6194184afb59a2

SHA1
962dfe219a3892d2ad653ddd29c2473664fec69f

SHA256
bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299

SHA512
ff405ea9375bda5c2f8a512d6c8364f912a8c6f0147ac59d47c025a89b1dbb5471a3a7a9bab8ffa313097aa074d302c7b00be6575f77d0922843fcac0d08ea09

Download Submit

Analysis

Sharing