Malware Analysis Report

2024-10-23 22:01

Sample ID 230719-p4mj2aff7s
Target Tax Returns of R58,765.js
SHA256 cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35

Threat Level: Known bad

The file Tax Returns of R58,765.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-19 12:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-19 12:53

Reported

2023-07-19 12:55

Platform

win7-20230712-en

Max time kernel

141s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A818061C|UMAXQRGK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2904 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2372 wrote to memory of 2904 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2372 wrote to memory of 2904 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js

MD5 33300fb747c6677625aa17d03e1010f3
SHA1 b1bea456907b59a8182a0f01cc0e90f6e32e2779
SHA256 cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
SHA512 3c7af332da0a394354b0f3245a7677149ea63bdb5e6b5fcbd7fe984d338c1cecb7e299e127859c1dafc4bf199d3d8c3923d2c32213ab292ccc7aa42558b65764

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 33300fb747c6677625aa17d03e1010f3
SHA1 b1bea456907b59a8182a0f01cc0e90f6e32e2779
SHA256 cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
SHA512 3c7af332da0a394354b0f3245a7677149ea63bdb5e6b5fcbd7fe984d338c1cecb7e299e127859c1dafc4bf199d3d8c3923d2c32213ab292ccc7aa42558b65764

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 33300fb747c6677625aa17d03e1010f3
SHA1 b1bea456907b59a8182a0f01cc0e90f6e32e2779
SHA256 cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
SHA512 3c7af332da0a394354b0f3245a7677149ea63bdb5e6b5fcbd7fe984d338c1cecb7e299e127859c1dafc4bf199d3d8c3923d2c32213ab292ccc7aa42558b65764

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-19 12:53

Reported

2023-07-19 12:55

Platform

win10v2004-20230703-en

Max time kernel

144s

Max time network

156s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 3380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2332 wrote to memory of 3380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js

MD5 33300fb747c6677625aa17d03e1010f3
SHA1 b1bea456907b59a8182a0f01cc0e90f6e32e2779
SHA256 cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
SHA512 3c7af332da0a394354b0f3245a7677149ea63bdb5e6b5fcbd7fe984d338c1cecb7e299e127859c1dafc4bf199d3d8c3923d2c32213ab292ccc7aa42558b65764

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js

MD5 33300fb747c6677625aa17d03e1010f3
SHA1 b1bea456907b59a8182a0f01cc0e90f6e32e2779
SHA256 cbe7d5663fd5359a72f88e44d083703d9625235929c31e0f5b16a0b42cb44d35
SHA512 3c7af332da0a394354b0f3245a7677149ea63bdb5e6b5fcbd7fe984d338c1cecb7e299e127859c1dafc4bf199d3d8c3923d2c32213ab292ccc7aa42558b65764