wshrat | af6ece1e6be8d5511a407806c24ca95fbf9e69e6ec595830342dc748868a0d0d

General

Target

PackageTracking.js
Size

2.2MB
MD5

4331a93b3bb41b1dbee33654a356e185
SHA1

5a69f4e88f9ab7e6d7278ae16860c634593bfaa8
SHA256

af6ece1e6be8d5511a407806c24ca95fbf9e69e6ec595830342dc748868a0d0d
SHA512

2e5c3b9a29e39c167336824244868b953908bda5b7e94a02ab0549785d966792d60bed310f4df547c97c1dbccd4742f6ca570f8638c46495955d91176a64338e
SSDEEP

12288:mJvm6+EhCkN1tbZvbssZ+nMXGiK5qqQvUknS+jN55EnMQ7Q0lq8JgEFJPwMhy+lQ:iR5j1DvRXG9Jy8CUPfpg59QIMrJFA

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://172.93.181.132:4848

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
3	976	wscript.exe
4	976	wscript.exe
5	976	wscript.exe
7	976	wscript.exe
9	976	wscript.exe
10	976	wscript.exe
12	976	wscript.exe
13	976	wscript.exe
14	976	wscript.exe
16	976	wscript.exe
17	976	wscript.exe
18	976	wscript.exe
20	976	wscript.exe
21	976	wscript.exe
22	976	wscript.exe
24	976	wscript.exe
25	976	wscript.exe
26	976	wscript.exe
28	976	wscript.exe
29	976	wscript.exe
30	976	wscript.exe
32	976	wscript.exe
33	976	wscript.exe
34	976	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PackageTracking.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PackageTracking.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PackageTracking = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PackageTracking.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\PackageTracking = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PackageTracking.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PackageTracking = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PackageTracking.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\PackageTracking = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PackageTracking.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	16	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	17	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	3	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	4	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	5	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	9	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	24	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	29	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	21	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	7	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	28	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	25	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	26	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	30	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	10	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	12	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	18	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	20	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	22	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript
HTTP User-Agent header	32	WSHRAT\|C0585B3B\|MLXLFKOI\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2023\|JavaScript

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1684	1700	wscript.exe	28
PID 1700 wrote to memory of 1684	1700	wscript.exe	28
PID 1700 wrote to memory of 1684	1700	wscript.exe	28
PID 1700 wrote to memory of 976	1700	wscript.exe	29
PID 1700 wrote to memory of 976	1700	wscript.exe	29
PID 1700 wrote to memory of 976	1700	wscript.exe	29
PID 976 wrote to memory of 1976	976	wscript.exe	30
PID 976 wrote to memory of 1976	976	wscript.exe	30
PID 976 wrote to memory of 1976	976	wscript.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PackageTracking.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FTaAuZTnIA.js"
  2⤵
  PID:1684
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PackageTracking.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FTaAuZTnIA.js"
    3⤵
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FTaAuZTnIA.js

Filesize
341KB

MD5
c6041b8e692173004a1454e74fa315bc

SHA1
1175b3b4a1efc85eaaeeb46eba40cb8e0dc8e1b3

SHA256
c11fc52a1e2a7fee44f5d1aff7b4f37eeb56a927d5375bef1308acc31b1d1e4b

SHA512
7b02a0aa71a0fdaf251b553ca47fc925cc1fab977fef6e309a65f8687ef95541fe577831344950d6222c69b15aa72c01b5d1409d1c0d3ba1a1be112afb195d3a

Download Submit
C:\Users\Admin\AppData\Roaming\FTaAuZTnIA.js

Filesize
341KB

MD5
c6041b8e692173004a1454e74fa315bc

SHA1
1175b3b4a1efc85eaaeeb46eba40cb8e0dc8e1b3

SHA256
c11fc52a1e2a7fee44f5d1aff7b4f37eeb56a927d5375bef1308acc31b1d1e4b

SHA512
7b02a0aa71a0fdaf251b553ca47fc925cc1fab977fef6e309a65f8687ef95541fe577831344950d6222c69b15aa72c01b5d1409d1c0d3ba1a1be112afb195d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PackageTracking.js

Filesize
2.2MB

MD5
4331a93b3bb41b1dbee33654a356e185

SHA1
5a69f4e88f9ab7e6d7278ae16860c634593bfaa8

SHA256
af6ece1e6be8d5511a407806c24ca95fbf9e69e6ec595830342dc748868a0d0d

SHA512
2e5c3b9a29e39c167336824244868b953908bda5b7e94a02ab0549785d966792d60bed310f4df547c97c1dbccd4742f6ca570f8638c46495955d91176a64338e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PackageTracking.js

Filesize
2.2MB

MD5
4331a93b3bb41b1dbee33654a356e185

SHA1
5a69f4e88f9ab7e6d7278ae16860c634593bfaa8

SHA256
af6ece1e6be8d5511a407806c24ca95fbf9e69e6ec595830342dc748868a0d0d

SHA512
2e5c3b9a29e39c167336824244868b953908bda5b7e94a02ab0549785d966792d60bed310f4df547c97c1dbccd4742f6ca570f8638c46495955d91176a64338e

Download Submit
C:\Users\Admin\AppData\Roaming\PackageTracking.js

Filesize
2.2MB

MD5
4331a93b3bb41b1dbee33654a356e185

SHA1
5a69f4e88f9ab7e6d7278ae16860c634593bfaa8

SHA256
af6ece1e6be8d5511a407806c24ca95fbf9e69e6ec595830342dc748868a0d0d

SHA512
2e5c3b9a29e39c167336824244868b953908bda5b7e94a02ab0549785d966792d60bed310f4df547c97c1dbccd4742f6ca570f8638c46495955d91176a64338e

Download Submit

Analysis

Sharing