Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

6ce2e7208c...97a.js

windows7-x64

10

6ce2e7208c...97a.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2023, 01:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js

  • Size

    899KB

  • MD5

    7fc3ab727001bb3f552bee872b7c90a7

  • SHA1

    f0fa0bdb338ecb45308bc83718559265077b9a86

  • SHA256

    6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a

  • SHA512

    13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a

  • SSDEEP

    6144:QQ5r1A7G9u13eV4pO5SolqKCvOZYuHYKq/ofQZvN0+QPJkh3dqYB2r8YOdchB1VF:TJ

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 21 IoCs
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 20 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1484

Network

  • flag-us
    DNS
    ip-api.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    wscript.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 27 May 2023 01:26:04 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 305
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    harold.2waky.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    harold.2waky.com
    IN A
    Response
    harold.2waky.com
    IN A
    141.98.6.215
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-nl
    POST
    http://harold.2waky.com:3609/is-ready
    wscript.exe
    Remote address:
    141.98.6.215:3609
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|9CA37D4D|YBHADZIG|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/5/2023|JavaScript-v3.4|IN:India
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: harold.2waky.com:3609
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    wscript.exe
    507 B
     654 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    567 B
     172 B
     5
    4

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 141.98.6.215:3609
    http://harold.2waky.com:3609/is-ready
    http
    wscript.exe
    475 B
     92 B
     3
    2

    HTTP Request

    POST http://harold.2waky.com:3609/is-ready
  • 8.8.8.8:53
    ip-api.com
    dns
    wscript.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    harold.2waky.com
    dns
    wscript.exe
    62 B
     78 B
     1
    1

    DNS Request

    harold.2waky.com

    DNS Response

    141.98.6.215

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
    Filesize

    899KB

    MD5

    7fc3ab727001bb3f552bee872b7c90a7

    SHA1

    f0fa0bdb338ecb45308bc83718559265077b9a86

    SHA256

    6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a

    SHA512

    13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
    Filesize

    899KB

    MD5

    0ecf7f39a9b781cd4a325d37cad55146

    SHA1

    98ec3c6de608fbb7d6b992d5134bbfc49092154e

    SHA256

    b6493d713279ed6f254e65aa7980c900a3c9664a8be61136f440dc427c39ef64

    SHA512

    1585b4e57a6eea34e3ad84e24685d7ea2d40499bf522c6b2eb626340d6e61211c28e1d0f0afda038ccaeba485ab379f68c33090ab152636dbbdfb6f44ab19692

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
    Filesize

    899KB

    MD5

    7fc3ab727001bb3f552bee872b7c90a7

    SHA1

    f0fa0bdb338ecb45308bc83718559265077b9a86

    SHA256

    6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a

    SHA512

    13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.