Overview

overview

10

Static

static

1

Scan005.js

windows7-x64

10

Scan005.js

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2023, 07:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan005.js

  • Size

    1019KB

  • MD5

    f05dd469447e50abf638af13d0563d54

  • SHA1

    9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

  • SHA256

    659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

  • SHA512

    f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

  • SSDEEP

    3072:MoZBzWlRm4PuQlGdJkj8qnGBIQggpd0AD:MoZBzWlRm4PuQlGdJLd

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 10 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan005.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:704

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js
    Filesize

    1019KB

    MD5

    f05dd469447e50abf638af13d0563d54

    SHA1

    9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

    SHA256

    659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

    SHA512

    f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js
    Filesize

    1019KB

    MD5

    f05dd469447e50abf638af13d0563d54

    SHA1

    9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

    SHA256

    659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

    SHA512

    f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Scan005.js
    Filesize

    1019KB

    MD5

    f05dd469447e50abf638af13d0563d54

    SHA1

    9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

    SHA256

    659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

    SHA512

    f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wshsdk.zip
    Filesize

    12.4MB

    MD5

    d9a63dfd8b73629421bb44bcde09f312

    SHA1

    7855575c12eaee0e734f3901ca1da2931e9b587a

    SHA256

    9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb

    SHA512

    df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wshsdk\Lib\SITE-P~1\adodbapi\test\is64bit.py
    Filesize

    1KB

    MD5

    ca2cc8e73bbca371935bbc92ed18d567

    SHA1

    1adb458919e842cd78c72b1ff00e5e93cb6ef75e

    SHA256

    bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1

    SHA512

    b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

    Download Submit