wshrat | b39e9da10e1d0062f2254cae99e58f1c46de46829bd86b3ab37a8d9e32e1a95e

General

Target

ORDER-230428.js
Size

521KB
MD5

678f7bc2963dfe7d00f80de5132f63af
SHA1

b2f9383257887b902b25c7f24e1d6320cb88acea
SHA256

749508570fded7091e235707bd3a1f72c64c2428802abafaa98c47ce970c8df6
SHA512

9fc216681d1e1979cafd33b8c41f116dc99f0e859dd87ed2340e1d3609efc0f302c7c2215500f3bafc3f5b45003898facc55e0fd5c4c7f0097da04977abcb777
SSDEEP

384:lilWWgNgxgygHWWWWW/IHWWWWWXgHBq8iOAwI4LuRu1kKMiIeBWSPSHv7rWektWW:d1H0Ef

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
4	1980	wscript.exe
5	1980	wscript.exe
6	1980	wscript.exe
9	1980	wscript.exe
10	1980	wscript.exe
11	1980	wscript.exe
13	1980	wscript.exe
14	1980	wscript.exe
15	1980	wscript.exe
17	1980	wscript.exe
18	1980	wscript.exe
19	1980	wscript.exe
21	1980	wscript.exe
22	1980	wscript.exe
23	1980	wscript.exe
25	1980	wscript.exe
26	1980	wscript.exe
27	1980	wscript.exe
29	1980	wscript.exe
30	1980	wscript.exe
31	1980	wscript.exe
33	1980	wscript.exe
34	1980	wscript.exe
35	1980	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-230428.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-230428.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\ORDER-230428 = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER-230428.js'"	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-230428 = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER-230428.js'"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	26	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	14	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	18	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	5	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	9	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	11	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	35	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	23	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	27	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	30	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	19	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	21	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	22	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	25	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	6	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	10	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	15	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	17	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript
HTTP User-Agent header	31	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 1/5/2023\|JavaScript

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-230428.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-230428.js

Filesize
521KB

MD5
678f7bc2963dfe7d00f80de5132f63af

SHA1
b2f9383257887b902b25c7f24e1d6320cb88acea

SHA256
749508570fded7091e235707bd3a1f72c64c2428802abafaa98c47ce970c8df6

SHA512
9fc216681d1e1979cafd33b8c41f116dc99f0e859dd87ed2340e1d3609efc0f302c7c2215500f3bafc3f5b45003898facc55e0fd5c4c7f0097da04977abcb777

Download Submit

Analysis

Sharing