wshrat | c121c9e47a795e1a614708fdbc9da50031623e115e7c2f25ffbdd7534da8106a

General

Target

Tax Returns of R58,765.js
Size

900KB
MD5

caf0b9b20362d1d503ede2b73907584b
SHA1

e1474ab56c34ec4e13a899aae72fe095e3f54484
SHA256

c121c9e47a795e1a614708fdbc9da50031623e115e7c2f25ffbdd7534da8106a
SHA512

ec71950b943494f5b329c7130261c984454089b454ec4ed311f838d1e2599795921b3773347602551bae9fbf3d0b58a79280d60c20253f227cdc0f9691fbcb02
SSDEEP

6144:QQ3My8GgW0/CSQK1Ap2H5xv5vjPudGSDWs5DjS/svvT1rpoCDzY9pDxaD2zXK1X5:TH

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 19 IoCs

flow	pid	Process
4	1860	wscript.exe
6	1860	wscript.exe
7	1860	wscript.exe
8	1860	wscript.exe
11	1860	wscript.exe
12	1860	wscript.exe
13	1860	wscript.exe
15	1860	wscript.exe
16	1860	wscript.exe
17	1860	wscript.exe
19	1860	wscript.exe
20	1860	wscript.exe
21	1860	wscript.exe
23	1860	wscript.exe
24	1860	wscript.exe
25	1860	wscript.exe
27	1860	wscript.exe
28	1860	wscript.exe
29	1860	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 17 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	15	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	25	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	6	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	16	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	23	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	24	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	7	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	13	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	20	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	27	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	28	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	12	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	17	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	21	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	11	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1860	1976	wscript.exe	28
PID 1976 wrote to memory of 1860	1976	wscript.exe	28
PID 1976 wrote to memory of 1860	1976	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

Filesize
900KB

MD5
caf0b9b20362d1d503ede2b73907584b

SHA1
e1474ab56c34ec4e13a899aae72fe095e3f54484

SHA256
c121c9e47a795e1a614708fdbc9da50031623e115e7c2f25ffbdd7534da8106a

SHA512
ec71950b943494f5b329c7130261c984454089b454ec4ed311f838d1e2599795921b3773347602551bae9fbf3d0b58a79280d60c20253f227cdc0f9691fbcb02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

Filesize
900KB

MD5
caf0b9b20362d1d503ede2b73907584b

SHA1
e1474ab56c34ec4e13a899aae72fe095e3f54484

SHA256
c121c9e47a795e1a614708fdbc9da50031623e115e7c2f25ffbdd7534da8106a

SHA512
ec71950b943494f5b329c7130261c984454089b454ec4ed311f838d1e2599795921b3773347602551bae9fbf3d0b58a79280d60c20253f227cdc0f9691fbcb02

Download Submit
C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js

Filesize
900KB

MD5
caf0b9b20362d1d503ede2b73907584b

SHA1
e1474ab56c34ec4e13a899aae72fe095e3f54484

SHA256
c121c9e47a795e1a614708fdbc9da50031623e115e7c2f25ffbdd7534da8106a

SHA512
ec71950b943494f5b329c7130261c984454089b454ec4ed311f838d1e2599795921b3773347602551bae9fbf3d0b58a79280d60c20253f227cdc0f9691fbcb02

Download Submit

Analysis

Sharing