wshrat | ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15

General

Target

Invoice.js
Size

21KB
MD5

12b2471d3c8dd16efd69ab5aca0678b9
SHA1

15dca12d5e2d7d0281990ee43ffbcd22396fe01a
SHA256

ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15
SHA512

7f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac
SSDEEP

384:6/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:6/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://wishpeople.duckdns.org:9071

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 18 IoCs

flow	pid	Process
13	1860	wscript.exe
97	1860	wscript.exe
134	1860	wscript.exe
135	1860	wscript.exe
136	1860	wscript.exe
137	1860	wscript.exe
138	1860	wscript.exe
139	1860	wscript.exe
140	1860	wscript.exe
141	1860	wscript.exe
142	1860	wscript.exe
143	1860	wscript.exe
144	1860	wscript.exe
145	1860	wscript.exe
146	1860	wscript.exe
147	1860	wscript.exe
151	1860	wscript.exe
152	1860	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 18 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	139	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	142	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	143	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	97	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	134	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	135	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	140	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	136	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	138	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	146	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	147	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	151	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	152	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	137	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	141	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	144	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript
HTTP User-Agent header	145	WSHRAT\|AA342AE5\|NVYNMMTR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/9/2023\|JavaScript

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1672	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1860	5012	wscript.exe	85
PID 5012 wrote to memory of 1860	5012	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
b4958eaaadde9e85cf1b1acae299494a

SHA1
7c17846d10ebeade6a908551a40b86ad81c58b6b

SHA256
12c07204d79fba4f4ae043fb776965a7407f58ef14f1a95e02dc42579e247c1a

SHA512
7c35c88b0e36ab30979f6d734aa3bac8f24247b03f8f4148f75269bda267621a993911520ea6ad7965032ab3109052549d725188e2539b13e3e6078413ed4bab

Download Submit
C:\Users\Admin\AppData\Roaming\Invoice.js

Filesize
21KB

MD5
12b2471d3c8dd16efd69ab5aca0678b9

SHA1
15dca12d5e2d7d0281990ee43ffbcd22396fe01a

SHA256
ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15

SHA512
7f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js

Filesize
21KB

MD5
12b2471d3c8dd16efd69ab5aca0678b9

SHA1
15dca12d5e2d7d0281990ee43ffbcd22396fe01a

SHA256
ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15

SHA512
7f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js

Filesize
21KB

MD5
12b2471d3c8dd16efd69ab5aca0678b9

SHA1
15dca12d5e2d7d0281990ee43ffbcd22396fe01a

SHA256
ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15

SHA512
7f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac

Download Submit
memory/1672-47-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-50-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-41-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-42-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-43-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-44-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-45-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-46-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-24-0x0000024804740000-0x0000024804750000-memory.dmp

Filesize
64KB

Download
memory/1672-48-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-49-0x000002480CD40000-0x000002480CD41000-memory.dmp

Filesize
4KB

Download
memory/1672-40-0x000002480CD20000-0x000002480CD21000-memory.dmp

Filesize
4KB

Download
memory/1672-51-0x000002480C970000-0x000002480C971000-memory.dmp

Filesize
4KB

Download
memory/1672-52-0x000002480C960000-0x000002480C961000-memory.dmp

Filesize
4KB

Download
memory/1672-54-0x000002480C970000-0x000002480C971000-memory.dmp

Filesize
4KB

Download
memory/1672-57-0x000002480C960000-0x000002480C961000-memory.dmp

Filesize
4KB

Download
memory/1672-60-0x000002480C8A0000-0x000002480C8A1000-memory.dmp

Filesize
4KB

Download
memory/1672-8-0x0000024804640000-0x0000024804650000-memory.dmp

Filesize
64KB

Download
memory/1672-72-0x000002480CAA0000-0x000002480CAA1000-memory.dmp

Filesize
4KB

Download
memory/1672-74-0x000002480CAB0000-0x000002480CAB1000-memory.dmp

Filesize
4KB

Download
memory/1672-75-0x000002480CAB0000-0x000002480CAB1000-memory.dmp

Filesize
4KB

Download
memory/1672-76-0x000002480CBC0000-0x000002480CBC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads