wshrat | 659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

General

Target

Scan005.js
Size

1019KB
MD5

f05dd469447e50abf638af13d0563d54
SHA1

9c0f3e6b8177c08d066c7696c6bd77c8614fc1db
SHA256

659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2
SHA512

f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f
SSDEEP

3072:MoZBzWlRm4PuQlGdJkj8qnGBIQggpd0AD:MoZBzWlRm4PuQlGdJLd

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 10 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
2	908	wscript.exe
3	704	wscript.exe
6	704	wscript.exe
11	704	wscript.exe
12	704	wscript.exe
13	704	wscript.exe
14	704	wscript.exe
15	704	wscript.exe
16	704	wscript.exe
18	704	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan005 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan005.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
10	ip-api.com

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	13	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	15	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	16	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 908 wrote to memory of 704	908	wscript.exe	wscript.exe
PID 908 wrote to memory of 704	908	wscript.exe	wscript.exe
PID 908 wrote to memory of 704	908	wscript.exe	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan005.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js
Filesize
1019KB

MD5
f05dd469447e50abf638af13d0563d54

SHA1
9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

SHA256
659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

SHA512
f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005.js
Filesize
1019KB

MD5
f05dd469447e50abf638af13d0563d54

SHA1
9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

SHA256
659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

SHA512
f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

Download Submit
C:\Users\Admin\AppData\Roaming\Scan005.js
Filesize
1019KB

MD5
f05dd469447e50abf638af13d0563d54

SHA1
9c0f3e6b8177c08d066c7696c6bd77c8614fc1db

SHA256
659d0615a525282de8d22cd7846442d257dcd1a33e6c6c941d530704954afaf2

SHA512
f76d89d7fd33d36aad977e80eca35d5deaf305e617d45cc453737b8aff9f4aa8d01cb0eded655bc0b0c8dbd485e2cd9e3bd86965bab64fb8e241281e83c7039f

Download Submit
C:\Users\Admin\AppData\Roaming\wshsdk.zip
Filesize
12.4MB

MD5
d9a63dfd8b73629421bb44bcde09f312

SHA1
7855575c12eaee0e734f3901ca1da2931e9b587a

SHA256
9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb

SHA512
df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

Download Submit
C:\Users\Admin\AppData\Roaming\wshsdk\Lib\SITE-P~1\adodbapi\test\is64bit.py
Filesize
1KB

MD5
ca2cc8e73bbca371935bbc92ed18d567

SHA1
1adb458919e842cd78c72b1ff00e5e93cb6ef75e

SHA256
bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1

SHA512
b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads