wshrat | 582ea24cd2052b74375774919a7e1f0de80e4bf9884234b26cb417502c1d2a74

General

Target

6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
Size

899KB
MD5

7fc3ab727001bb3f552bee872b7c90a7
SHA1

f0fa0bdb338ecb45308bc83718559265077b9a86
SHA256

6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a
SHA512

13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a
SSDEEP

6144:QQ5r1A7G9u13eV4pO5SolqKCvOZYuHYKq/ofQZvN0+QPJkh3dqYB2r8YOdchB1VF:TJ

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 21 IoCs

flow	pid	Process
4	1484	wscript.exe
6	1484	wscript.exe
7	1484	wscript.exe
8	1484	wscript.exe
11	1484	wscript.exe
12	1484	wscript.exe
13	1484	wscript.exe
15	1484	wscript.exe
16	1484	wscript.exe
17	1484	wscript.exe
19	1484	wscript.exe
20	1484	wscript.exe
21	1484	wscript.exe
23	1484	wscript.exe
24	1484	wscript.exe
25	1484	wscript.exe
27	1484	wscript.exe
28	1484	wscript.exe
29	1484	wscript.exe
31	1484	wscript.exe
32	1484	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 20 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	27	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	25	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	28	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	32	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	7	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	20	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	21	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	23	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	6	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	8	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	12	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	16	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	31	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	11	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	15	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	17	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	24	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	29	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 27/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1484	2000	wscript.exe	28
PID 2000 wrote to memory of 1484	2000	wscript.exe	28
PID 2000 wrote to memory of 1484	2000	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js

Filesize
899KB

MD5
7fc3ab727001bb3f552bee872b7c90a7

SHA1
f0fa0bdb338ecb45308bc83718559265077b9a86

SHA256
6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a

SHA512
13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js

Filesize
899KB

MD5
0ecf7f39a9b781cd4a325d37cad55146

SHA1
98ec3c6de608fbb7d6b992d5134bbfc49092154e

SHA256
b6493d713279ed6f254e65aa7980c900a3c9664a8be61136f440dc427c39ef64

SHA512
1585b4e57a6eea34e3ad84e24685d7ea2d40499bf522c6b2eb626340d6e61211c28e1d0f0afda038ccaeba485ab379f68c33090ab152636dbbdfb6f44ab19692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js

Filesize
899KB

MD5
7fc3ab727001bb3f552bee872b7c90a7

SHA1
f0fa0bdb338ecb45308bc83718559265077b9a86

SHA256
6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a

SHA512
13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a

Download Submit

Analysis

Sharing