Malware Analysis Report

2024-10-23 22:01

Sample ID 230727-q8btrsff4w
Target NA_47ef53bf5833e55b94c424f1a_JC.vbs
SHA256 47ef53bf5833e55b94c424f1a3560baf56bb672760e89fab43a0eb226720e265
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47ef53bf5833e55b94c424f1a3560baf56bb672760e89fab43a0eb226720e265

Threat Level: Known bad

The file NA_47ef53bf5833e55b94c424f1a_JC.vbs was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-27 13:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 13:55

Reported

2023-07-27 13:58

Platform

win7-20230712-en

Max time kernel

140s

Max time network

155s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_47ef53bf5833e55b94c424f1a_JC.vbs"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_47ef53bf5833e55b94c424f1a_JC.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_47ef53bf5833e55b94c424f1a_JC.vbs C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NA_47ef53bf5833e55b94c424f1a_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NA_47ef53bf5833e55b94c424f1a_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_47ef53bf5833e55b94c424f1a_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NA_47ef53bf5833e55b94c424f1a_JC.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_47ef53bf5833e55b94c424f1a_JC.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_47ef53bf5833e55b94c424f1a_JC.vbs

MD5 c1782dd257f96535b081857cd64e2598
SHA1 dcfc5c3fe03e591bc9a6cfb7b008a312eedf343b
SHA256 47ef53bf5833e55b94c424f1a3560baf56bb672760e89fab43a0eb226720e265
SHA512 b39e5eee7a3e8d33ba01ca022bdd564a4ef0c6f00c40adebebec4ee8a310855859fcc1b6834d4361654630518989196e1f0e38160e7feac462a021f52cfe0840

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-27 13:55

Reported

2023-07-27 13:58

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_47ef53bf5833e55b94c424f1a_JC.vbs"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_47ef53bf5833e55b94c424f1a_JC.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_47ef53bf5833e55b94c424f1a_JC.vbs C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_47ef53bf5833e55b94c424f1a_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NA_47ef53bf5833e55b94c424f1a_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_47ef53bf5833e55b94c424f1a_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NA_47ef53bf5833e55b94c424f1a_JC.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_47ef53bf5833e55b94c424f1a_JC.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 81.144.47.103.in-addr.arpa udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 26.21.101.95.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_47ef53bf5833e55b94c424f1a_JC.vbs

MD5 c1782dd257f96535b081857cd64e2598
SHA1 dcfc5c3fe03e591bc9a6cfb7b008a312eedf343b
SHA256 47ef53bf5833e55b94c424f1a3560baf56bb672760e89fab43a0eb226720e265
SHA512 b39e5eee7a3e8d33ba01ca022bdd564a4ef0c6f00c40adebebec4ee8a310855859fcc1b6834d4361654630518989196e1f0e38160e7feac462a021f52cfe0840

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7QVM26BR\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3