wshrat | d295442674b1989fd65dea6a56081467424365f1c43ef9b74bff7fdb0f0c77ec

General

Target

Tax Returns of R58,765.js
Size

990KB
MD5

9f0fc6d60f36df9301170a6ec0d3f408
SHA1

88ce1c32a1f7c18f34acf969e839ec4882e1428f
SHA256

d295442674b1989fd65dea6a56081467424365f1c43ef9b74bff7fdb0f0c77ec
SHA512

ddcd02d4b33bc0af4c5f4112ea7d00cef17dc56f0dd90ed8fb5ae0355ff7fb9c7a627f7f4f522954302abe27dee83dcb166f98735b5b49275810d017f2521293
SSDEEP

3072:QQIC0ry/lGgq1YRZILn3cl3hkdMnmxfHtnPr:QQIC0ry/lGgq1YR7y

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 20 IoCs

flow	pid	Process
8	4508	wscript.exe
10	4508	wscript.exe
28	4508	wscript.exe
29	4508	wscript.exe
32	4508	wscript.exe
44	4508	wscript.exe
47	4508	wscript.exe
48	4508	wscript.exe
50	4508	wscript.exe
51	4508	wscript.exe
53	4508	wscript.exe
55	4508	wscript.exe
58	4508	wscript.exe
60	4508	wscript.exe
61	4508	wscript.exe
63	4508	wscript.exe
67	4508	wscript.exe
68	4508	wscript.exe
79	4508	wscript.exe
80	4508	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 19 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	48	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	61	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	68	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	79	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	29	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	47	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	63	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	55	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	58	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	60	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	10	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	28	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	53	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	51	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	67	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	80	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	32	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	44	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	50	WSHRAT\|A889F529\|WEYPCEWN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 17/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4508	4848	wscript.exe	82
PID 4848 wrote to memory of 4508	4848	wscript.exe	82

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

Filesize
256KB

MD5
91a9141005198e332df70163ca18d68f

SHA1
28623a0bb08a95b854e304dab7dca9118d965da6

SHA256
1a6269fa48b65e91ca9b2134c57fd0fe796770fe4a1e821a27d3b01236835727

SHA512
f3ee9d146449c6db9ecd1c8643cfceca0c6a96c5c778a70eee0d6a7859ed2eb8c530f596bfeaedc880f700c79172eac6ce44a45caa494b1d105f3d3b2a895262

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

Filesize
990KB

MD5
9f0fc6d60f36df9301170a6ec0d3f408

SHA1
88ce1c32a1f7c18f34acf969e839ec4882e1428f

SHA256
d295442674b1989fd65dea6a56081467424365f1c43ef9b74bff7fdb0f0c77ec

SHA512
ddcd02d4b33bc0af4c5f4112ea7d00cef17dc56f0dd90ed8fb5ae0355ff7fb9c7a627f7f4f522954302abe27dee83dcb166f98735b5b49275810d017f2521293

Download Submit
C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js

Filesize
990KB

MD5
9f0fc6d60f36df9301170a6ec0d3f408

SHA1
88ce1c32a1f7c18f34acf969e839ec4882e1428f

SHA256
d295442674b1989fd65dea6a56081467424365f1c43ef9b74bff7fdb0f0c77ec

SHA512
ddcd02d4b33bc0af4c5f4112ea7d00cef17dc56f0dd90ed8fb5ae0355ff7fb9c7a627f7f4f522954302abe27dee83dcb166f98735b5b49275810d017f2521293

Download Submit

Analysis

Sharing