wshrat | 00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52

General

Target

06858399.js
Size

1010KB
MD5

05f7dda308f1bc24abadf8aa3371330b
SHA1

aa06855668ac9804721adacbc152ff0c302562cc
SHA256

00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52
SHA512

584b38cd5c00fc67a1bbe11d0d76933ab688dc5cdf307729f6a0a230fa63cdb0402e3ea2bdb9c5adbdd89e8f223e04664754e5878bcf7769482d97938c1a7fe7
SSDEEP

3072:7jqQUG/tGfT5hmFesTlDxVa9H8EHGK125p5DE0VsW3ikFBWdtm++fm6KMZ8:7jqQUG/tGfT5hmFesT1xKNoisI

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 18 IoCs

flow	pid	Process
2	1196	wscript.exe
3	1400	wscript.exe
7	1400	wscript.exe
8	1400	wscript.exe
9	1400	wscript.exe
10	1400	wscript.exe
13	1400	wscript.exe
14	1400	wscript.exe
15	1400	wscript.exe
17	1400	wscript.exe
18	1400	wscript.exe
19	1400	wscript.exe
21	1400	wscript.exe
22	1400	wscript.exe
23	1400	wscript.exe
25	1400	wscript.exe
26	1400	wscript.exe
27	1400	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06858399.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06858399.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06858399 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\06858399.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\06858399 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\06858399.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06858399 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\06858399.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\06858399 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\06858399.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 17 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	21	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	26	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	27	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	14	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	17	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	18	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	22	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	9	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	15	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	23	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	25	WSHRAT\|106B36FF\|HVMHZIYD\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1400	1196	wscript.exe	29
PID 1196 wrote to memory of 1400	1196	wscript.exe	29
PID 1196 wrote to memory of 1400	1196	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06858399.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\06858399.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\06858399.js

Filesize
1010KB

MD5
05f7dda308f1bc24abadf8aa3371330b

SHA1
aa06855668ac9804721adacbc152ff0c302562cc

SHA256
00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52

SHA512
584b38cd5c00fc67a1bbe11d0d76933ab688dc5cdf307729f6a0a230fa63cdb0402e3ea2bdb9c5adbdd89e8f223e04664754e5878bcf7769482d97938c1a7fe7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06858399.js

Filesize
1010KB

MD5
cf2e87801af6a664ac5ecbc8e164f780

SHA1
93998bce5094a2e25a11706c0ad397388d1dc882

SHA256
d6b5eb97612bcff057e55fa7d319cd63615b67feeee4329d10e488d47f40903f

SHA512
b64f3e89ad52ed2d93c3289db74840ff81d8b155beacf02f1d52d5b300f2c14c88323a77b44125de1ee01e720121e0ad906a9c9f7a6e696262f848b13b2b43e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06858399.js

Filesize
1010KB

MD5
05f7dda308f1bc24abadf8aa3371330b

SHA1
aa06855668ac9804721adacbc152ff0c302562cc

SHA256
00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52

SHA512
584b38cd5c00fc67a1bbe11d0d76933ab688dc5cdf307729f6a0a230fa63cdb0402e3ea2bdb9c5adbdd89e8f223e04664754e5878bcf7769482d97938c1a7fe7

Download Submit

Analysis

Sharing