wshrat | 645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SoftbankNDA.js
Size

21KB
MD5

c8f19fa9f346f7409e3bba98c1e3f058
SHA1

d857192d59c0ce2196925ce59436e0e36d94b6ee
SHA256

645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808
SHA512

cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326
SSDEEP

384:n/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:n/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://homesafe1000.duckdns.org:1604

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 30 IoCs

flow	pid	Process
13	4412	wscript.exe
40	4412	wscript.exe
41	4412	wscript.exe
56	4412	wscript.exe
57	4412	wscript.exe
58	4412	wscript.exe
66	4412	wscript.exe
73	4412	wscript.exe
74	4412	wscript.exe
75	4412	wscript.exe
76	4412	wscript.exe
77	4412	wscript.exe
78	4412	wscript.exe
79	4412	wscript.exe
80	4412	wscript.exe
81	4412	wscript.exe
82	4412	wscript.exe
83	4412	wscript.exe
84	4412	wscript.exe
85	4412	wscript.exe
86	4412	wscript.exe
87	4412	wscript.exe
88	4412	wscript.exe
89	4412	wscript.exe
90	4412	wscript.exe
91	4412	wscript.exe
92	4412	wscript.exe
93	4412	wscript.exe
97	4412	wscript.exe
98	4412	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 30 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	73	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	89	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	91	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	92	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	57	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	75	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	77	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	90	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	97	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	58	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	76	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	80	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	41	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	81	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	85	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	86	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	88	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	40	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	66	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	74	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	78	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	93	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	98	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	56	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	13	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	79	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	83	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	84	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript
HTTP User-Agent header	87	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/9/2023\|JavaScript

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 4412	2572	wscript.exe	85
PID 2572 wrote to memory of 4412	2572	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SoftbankNDA.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SoftbankNDA.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js

Filesize
21KB

MD5
5d236290513aee2790a35493f660fffb

SHA1
4f611b6dfeaa13e996259db6358c754f7a862b1b

SHA256
273e16331b1c3f3dd6992ff552f846744f3f00a5ab920f8e0873130cb601ca27

SHA512
56f09239a9dcdf2995a9b382c2f4a89a5673ee4086324370e1f892e39ba0523be5abbaf5d5a4139b09b7bd2517ca401198ee787ca1845fafcac28f6c8499152e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js

Filesize
21KB

MD5
c8f19fa9f346f7409e3bba98c1e3f058

SHA1
d857192d59c0ce2196925ce59436e0e36d94b6ee

SHA256
645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

SHA512
cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

Download Submit
C:\Users\Admin\AppData\Roaming\SoftbankNDA.js

Filesize
21KB

MD5
c8f19fa9f346f7409e3bba98c1e3f058

SHA1
d857192d59c0ce2196925ce59436e0e36d94b6ee

SHA256
645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

SHA512
cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads