Malware Analysis Report

2024-10-23 22:01

Sample ID 230718-qcmw6abc6v
Target Tax Returns of R58,765.js
SHA256 b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6

Threat Level: Known bad

The file Tax Returns of R58,765.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 13:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 13:07

Reported

2023-07-18 13:09

Platform

win7-20230712-en

Max time kernel

139s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2112 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2792 wrote to memory of 2112 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2792 wrote to memory of 2112 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js

MD5 ab8fb67d6a83a17522570aa8a995dfab
SHA1 dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256 b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA512 6ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 ab8fb67d6a83a17522570aa8a995dfab
SHA1 dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256 b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA512 6ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 ab8fb67d6a83a17522570aa8a995dfab
SHA1 dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256 b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA512 6ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-18 13:07

Reported

2023-07-18 13:09

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

160s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 1416 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2748 wrote to memory of 1416 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.222.173.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js

MD5 ab8fb67d6a83a17522570aa8a995dfab
SHA1 dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256 b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA512 6ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 ab8fb67d6a83a17522570aa8a995dfab
SHA1 dd6915a56f453933511a30fc9d235e4c52393bb6
SHA256 b74a0e8adc5f0681405c94a684d6b887fdc20cd6d198d069f0981d6ba7d658c6
SHA512 6ac13d034cdcdb96394fb54fcfbc7b842345ef07244e0dbfb9be886075d78c2c75f7ef084ecf42a68bfd961652fe54add127f66d82f6c97f83689355e16c571f