wshrat | 105d218c770d9b297c4dbc6b7b1e176aee64a4766fd8fb894dd9e0a84d51a38c

General

Target

Order-Specification-Copy.js
Size

7KB
MD5

b9041797ab6d337c79b7fe365997b228
SHA1

32a6eec778a00395b34e9afcb1ec27e7d74a530a
SHA256

105d218c770d9b297c4dbc6b7b1e176aee64a4766fd8fb894dd9e0a84d51a38c
SHA512

cfcf8c2d22d9117f969274bed3e74b73f6f3c6870380263fa912db43c18c3f9bd5ce5582d02bca70304fffaa94e3a608902880b5299e76dbb16037c12439eede
SSDEEP

192:bwvNEwkwEC1iAwYNEw7HwHrjwMNEwZwOXNEwMynlbkP:bw1EwkwEC1iAwMEw7HwHrjwwEwZwYEwU

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

flow	pid	Process
4	3760	wscript.exe
5	3760	wscript.exe
7	3760	wscript.exe
9	3760	wscript.exe
15	2156	WScript.exe
36	2156	WScript.exe
39	2156	WScript.exe
40	2156	WScript.exe
42	2156	WScript.exe
47	2156	WScript.exe
54	2156	WScript.exe
55	2156	WScript.exe
58	2156	WScript.exe
59	2156	WScript.exe
70	2156	WScript.exe
71	2156	WScript.exe
72	2156	WScript.exe
73	2156	WScript.exe
74	2156	WScript.exe
75	2156	WScript.exe
76	2156	WScript.exe
77	2156	WScript.exe
78	2156	WScript.exe
79	2156	WScript.exe
80	2156	WScript.exe
81	2156	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFLXVW.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFLXVW.js	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFLXVW = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\MFLXVW.js'"	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFLXVW = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\MFLXVW.js'"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	wscript.exe

Script User-Agent 22 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	54	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	59	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	70	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	73	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	74	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	77	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	15	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	40	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	47	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	78	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	79	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	81	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	39	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	72	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	75	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	55	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	42	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	58	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	71	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	76	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	80	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript
HTTP User-Agent header	36	WSHRAT\|D0F59775\|TPAVZECK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/5/2023\|JavaScript

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 2156	3760	wscript.exe	84
PID 3760 wrote to memory of 2156	3760	wscript.exe	84

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-Specification-Copy.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MFLXVW.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MFLXVW.js

Filesize
483KB

MD5
62fa4599657b0fe9517ad7c078b57245

SHA1
68f9b0b13b4d5d1ef9948be300ad6fb223d3ba11

SHA256
8b537ea44acdf2595b436ae4fe20228aa01ce99f47b407ce6b6717ca9a6dd788

SHA512
17f23c54e4a4b0216ce8026224081b5eba2e6d9702e1ee345ac1c42815c791f409a182c6862f3c41fc26004825a3223315ca3e8d79d4470ee3f5cfd4d1bbb40f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFLXVW.js

Filesize
483KB

MD5
62fa4599657b0fe9517ad7c078b57245

SHA1
68f9b0b13b4d5d1ef9948be300ad6fb223d3ba11

SHA256
8b537ea44acdf2595b436ae4fe20228aa01ce99f47b407ce6b6717ca9a6dd788

SHA512
17f23c54e4a4b0216ce8026224081b5eba2e6d9702e1ee345ac1c42815c791f409a182c6862f3c41fc26004825a3223315ca3e8d79d4470ee3f5cfd4d1bbb40f

Download Submit

Analysis

Sharing