Malware Analysis Report

2024-10-23 22:01

Sample ID 230721-g52rcacc73
Target Request For Quotation.js
SHA256 8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f

Threat Level: Known bad

The file Request For Quotation.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-21 06:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-21 06:24

Reported

2023-07-21 06:26

Platform

win7-20230712-en

Max time kernel

147s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1660 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1660 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 d88e96b01cbe12a5dbaefd28ccfcc7dc
SHA1 d1c01512b187176428440463eaae7b7d5be2aabf
SHA256 8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
SHA512 1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 a6ef227370b32ca1b0d7567e172d5975
SHA1 7f1abd26e34c2dbdf0e998217a7cca34cdfe466a
SHA256 bde1c48442710e851f6e06d0363da0e8debbbc1ab08145d0f11ddc00af754c94
SHA512 7b2699a35f87efe41a7290020689016c8c590551e264dc4029720195a22ce4b891d86d88c97b47127ed5163ec066d2653359ba8969189575f4493488326e1b33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 d88e96b01cbe12a5dbaefd28ccfcc7dc
SHA1 d1c01512b187176428440463eaae7b7d5be2aabf
SHA256 8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
SHA512 1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-21 06:24

Reported

2023-07-21 06:26

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 1584 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1532 wrote to memory of 1584 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 d88e96b01cbe12a5dbaefd28ccfcc7dc
SHA1 d1c01512b187176428440463eaae7b7d5be2aabf
SHA256 8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
SHA512 1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 d88e96b01cbe12a5dbaefd28ccfcc7dc
SHA1 d1c01512b187176428440463eaae7b7d5be2aabf
SHA256 8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
SHA512 1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 d88e96b01cbe12a5dbaefd28ccfcc7dc
SHA1 d1c01512b187176428440463eaae7b7d5be2aabf
SHA256 8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f
SHA512 1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388