Overview

overview

10

Static

static

1

05212023840.js

windows7-x64

10

05212023840.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2023 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05212023840.js

  • Size

    1.0MB

  • MD5

    9ccea994750b4d63ec5ef4a705f4855e

  • SHA1

    334b5f78ce8d2a73fdb551acd389991552c39b3b

  • SHA256

    b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40

  • SHA512

    736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c

  • SSDEEP

    3072:Cm0EaAcTqGaSqBHJZieEDQjb98Ztp8i8Jkzh:Cm0EaAcTqGaSqBHJZutUGzh

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 19 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 15 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\05212023840.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\05212023840.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\05212023840.js
    Filesize

    1.0MB

    MD5

    9ccea994750b4d63ec5ef4a705f4855e

    SHA1

    334b5f78ce8d2a73fdb551acd389991552c39b3b

    SHA256

    b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40

    SHA512

    736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05212023840.js
    Filesize

    64KB

    MD5

    fcd6bcb56c1689fcef28b57c22475bad

    SHA1

    1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

    SHA256

    de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

    SHA512

    73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05212023840.js
    Filesize

    1.0MB

    MD5

    9ccea994750b4d63ec5ef4a705f4855e

    SHA1

    334b5f78ce8d2a73fdb551acd389991552c39b3b

    SHA256

    b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40

    SHA512

    736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c

    Download Submit