Malware Analysis Report

2024-10-23 22:01

Sample ID 230718-lvcfxshd84
Target bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29
SHA256 bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29

Threat Level: Known bad

The file bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29 was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT payload

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 09:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 09:50

Reported

2023-07-18 09:53

Platform

win10-20230703-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29.exe"

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\XcJBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XcJBL.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcJBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XcJBL.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29.exe

"C:\Users\Admin\AppData\Local\Temp\bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\XcJBL.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 185.38.151.11:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 11.151.38.185.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 131.222.90.45.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp

Files

memory/4404-122-0x0000000000C20000-0x0000000000CAA000-memory.dmp

memory/4404-123-0x0000000074010000-0x00000000746FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\XcJBL.vbs

MD5 c437bda2e3045d21e7300dd3bb844cbb
SHA1 89fda9b463529b2309b8e1bd859f0cdeb2a8203f
SHA256 418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa
SHA512 d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

memory/4404-127-0x0000000074010000-0x00000000746FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs

MD5 c437bda2e3045d21e7300dd3bb844cbb
SHA1 89fda9b463529b2309b8e1bd859f0cdeb2a8203f
SHA256 418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa
SHA512 d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KFR0RUGG\json[1].json

MD5 149c2823b7eadbfb0a82388a2ab9494f
SHA1 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA256 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512 f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe