Malware Analysis Report

2024-10-23 22:01

Sample ID 230714-j4zlpscg75
Target Request For Quotation.js
SHA256 eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17

Threat Level: Known bad

The file Request For Quotation.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 08:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 08:14

Reported

2023-07-14 08:16

Platform

win7-20230712-en

Max time kernel

142s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1884 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1708 wrote to memory of 1884 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1708 wrote to memory of 1884 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 6802893839ecd1df26e60959bf4bfbd5
SHA1 91102e6f69fc112599939bdb891f46617c893947
SHA256 eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA512 45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 635e34d5f446e5526cd4d7f25032a063
SHA1 e0e1ed53367e2192c92d4651f10669e491976e54
SHA256 9318bf0047b502a6f978c7093f236c75c45b6669c72a8be9f90dca0731578e1a
SHA512 8fbe11449f461ba1ac7985d3f89bedaf0ba50bc1fafed675a3ee1c3196d25726f45aff27354c34736ef3bf9a2fbf3e89678856a34ef2f5d0cb439ab2ea3b8558

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 6802893839ecd1df26e60959bf4bfbd5
SHA1 91102e6f69fc112599939bdb891f46617c893947
SHA256 eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA512 45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 08:14

Reported

2023-07-14 08:16

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

156s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 4664 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4324 wrote to memory of 4664 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 6802893839ecd1df26e60959bf4bfbd5
SHA1 91102e6f69fc112599939bdb891f46617c893947
SHA256 eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA512 45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 6802893839ecd1df26e60959bf4bfbd5
SHA1 91102e6f69fc112599939bdb891f46617c893947
SHA256 eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA512 45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 6802893839ecd1df26e60959bf4bfbd5
SHA1 91102e6f69fc112599939bdb891f46617c893947
SHA256 eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA512 45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205