Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2023 13:07
Static task
static1
Behavioral task
behavioral1
Sample
Tax Returns of R58,765.js
Resource
win7-20230712-en
General
-
Target
Tax Returns of R58,765.js
-
Size
1.1MB
-
MD5
ab8fb67d6a83a17522570aa8a995dfab
-
SHA1
dd6915a56f453933511a30fc9d235e4c52393bb6
-
SHA256
b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
-
SHA512
6ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f
-
SSDEEP
3072:QQ34n7OrQn9IfjRbFo0ivJYmFyyUaKYCHc1I4Cb1ch:QQVo
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 29 1416 wscript.exe 31 1416 wscript.exe 39 1416 wscript.exe 45 1416 wscript.exe 59 1416 wscript.exe 60 1416 wscript.exe 61 1416 wscript.exe 62 1416 wscript.exe 70 1416 wscript.exe 74 1416 wscript.exe 75 1416 wscript.exe 76 1416 wscript.exe 89 1416 wscript.exe 90 1416 wscript.exe 95 1416 wscript.exe 96 1416 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 15 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 75 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 96 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 45 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 89 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 90 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 60 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 62 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 70 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 76 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 95 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 59 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 61 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 74 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 31 WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2748 wrote to memory of 1416 2748 wscript.exe wscript.exe PID 2748 wrote to memory of 1416 2748 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js
MD5d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js
Filesize1.1MB
MD5ab8fb67d6a83a17522570aa8a995dfab
SHA1dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA5126ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f
-
Filesize
1.1MB
MD5ab8fb67d6a83a17522570aa8a995dfab
SHA1dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA5126ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f