Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2023, 20:48

General

  • Target

    SoftbankNDA.js

  • Size

    21KB

  • MD5

    c8f19fa9f346f7409e3bba98c1e3f058

  • SHA1

    d857192d59c0ce2196925ce59436e0e36d94b6ee

  • SHA256

    645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

  • SHA512

    cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

  • SSDEEP

    384:n/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:n/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7

Malware Config

Extracted

Family

wshrat

C2

http://homesafe1000.duckdns.org:1604

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 30 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 30 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\SoftbankNDA.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SoftbankNDA.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js

    Filesize

    21KB

    MD5

    5d236290513aee2790a35493f660fffb

    SHA1

    4f611b6dfeaa13e996259db6358c754f7a862b1b

    SHA256

    273e16331b1c3f3dd6992ff552f846744f3f00a5ab920f8e0873130cb601ca27

    SHA512

    56f09239a9dcdf2995a9b382c2f4a89a5673ee4086324370e1f892e39ba0523be5abbaf5d5a4139b09b7bd2517ca401198ee787ca1845fafcac28f6c8499152e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js

    Filesize

    21KB

    MD5

    c8f19fa9f346f7409e3bba98c1e3f058

    SHA1

    d857192d59c0ce2196925ce59436e0e36d94b6ee

    SHA256

    645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

    SHA512

    cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

  • C:\Users\Admin\AppData\Roaming\SoftbankNDA.js

    Filesize

    21KB

    MD5

    c8f19fa9f346f7409e3bba98c1e3f058

    SHA1

    d857192d59c0ce2196925ce59436e0e36d94b6ee

    SHA256

    645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

    SHA512

    cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326