Overview

overview

10

Static

static

1

Scan005510.js

windows7-x64

10

Scan005510.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2023 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan005510.js

  • Size

    5.3MB

  • MD5

    dcdd70327905af1b3bee089b4f47a343

  • SHA1

    fc26fd4b71a7d6f94d191eca8ad1e4303a679075

  • SHA256

    58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

  • SHA512

    befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

  • SSDEEP

    6144:XgHrlNOv7uIeLpJMaO/lfSiSiV/r3ZPuK/v4lOVdMorRpVDBqP3nvBrXQklUOu6z:iPB

Score
10/10
wshratdiscoverypersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.131:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 20 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 19 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan005510.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan005510.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Users\Admin\AppData\Roaming\Gobiid.exe
        "C:\Users\Admin\AppData\Roaming\Gobiid.exe"
        3⤵
        • Checks QEMU agent file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Roaming\Gobiid.exe
          "C:\Users\Admin\AppData\Roaming\Gobiid.exe"
          4⤵
          • Checks QEMU agent file
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:3044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsjA537.tmp\System.dll
    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Gobiid.exe
    Filesize

    471KB

    MD5

    2ac363924422db721825e34bccfad5cc

    SHA1

    22f2163826bc7f585d7ab0e55551e11d418afd31

    SHA256

    67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

    SHA512

    3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Gobiid.exe
    Filesize

    471KB

    MD5

    2ac363924422db721825e34bccfad5cc

    SHA1

    22f2163826bc7f585d7ab0e55551e11d418afd31

    SHA256

    67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

    SHA512

    3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Gobiid.exe
    Filesize

    471KB

    MD5

    2ac363924422db721825e34bccfad5cc

    SHA1

    22f2163826bc7f585d7ab0e55551e11d418afd31

    SHA256

    67c9cd193f85637de60b33b0253e89d5e95e7f263683bfa49e5e1b3745d695db

    SHA512

    3b82a463be8d0ddb2fba006c0880f19b54f8bb88090f6effb69d62dbea0f6a038ce5dffc2808bcea24513be3c23b7dcbe5db3ad334a20a94586e20801f450156

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005510.js
    Filesize

    5.3MB

    MD5

    dcdd70327905af1b3bee089b4f47a343

    SHA1

    fc26fd4b71a7d6f94d191eca8ad1e4303a679075

    SHA256

    58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

    SHA512

    befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan005510.js
    Filesize

    5.3MB

    MD5

    dcdd70327905af1b3bee089b4f47a343

    SHA1

    fc26fd4b71a7d6f94d191eca8ad1e4303a679075

    SHA256

    58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

    SHA512

    befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Scan005510.js
    Filesize

    5.3MB

    MD5

    dcdd70327905af1b3bee089b4f47a343

    SHA1

    fc26fd4b71a7d6f94d191eca8ad1e4303a679075

    SHA256

    58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

    SHA512

    befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjA537.tmp\System.dll
    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjA537.tmp\System.dll
    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    Download Submit

  • memory/2716-82-0x0000000077920000-0x0000000077AC9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2716-85-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2716-84-0x0000000077B10000-0x0000000077BE6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3044-87-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3044-89-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3044-90-0x0000000077920000-0x0000000077AC9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3044-92-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3044-94-0x0000000077920000-0x0000000077AC9000-memory.dmp

    Filesize

    1.7MB

    Download