Overview

overview

10

Static

static

1

Request Fo...ion.js

windows7-x64

10

Request Fo...ion.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2023 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request For Quotation.js

  • Size

    965KB

  • MD5

    361ff80872705750749fc5c27006aba5

  • SHA1

    d0e36f27aea4f6b17587f68d06f307e368d8443a

  • SHA256

    bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

  • SHA512

    ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

  • SSDEEP

    6144:QQQ2zF22es2/0w7aMT3H2KqPLOSxgEDC4OlNnOm5trZ+DGArhisPGfLA5b0l2uvN:TfG

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 16 IoCs
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 15 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2448

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js
    Filesize

    965KB

    MD5

    361ff80872705750749fc5c27006aba5

    SHA1

    d0e36f27aea4f6b17587f68d06f307e368d8443a

    SHA256

    bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

    SHA512

    ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js
    Filesize

    965KB

    MD5

    361ff80872705750749fc5c27006aba5

    SHA1

    d0e36f27aea4f6b17587f68d06f307e368d8443a

    SHA256

    bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

    SHA512

    ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Request For Quotation.js
    Filesize

    965KB

    MD5

    361ff80872705750749fc5c27006aba5

    SHA1

    d0e36f27aea4f6b17587f68d06f307e368d8443a

    SHA256

    bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

    SHA512

    ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

    Download Submit