Overview

overview

10

Static

static

10

invoice-wsl.js

windows7-x64

10

invoice-wsl.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2023 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice-wsl.js

  • Size

    187KB

  • MD5

    bc0356063536ebe0867a97a1965a0f52

  • SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

  • SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

  • SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

  • SSDEEP

    3072:2aeGK/6dbIpklgVDSxGfmuZRTFBTEsSQ0bamOZkvEzzbURC8:2aeGKgAklgF2GuuZ7auMTFRC8

Score
10/10
wshratpersistencetrojan

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 3 IoCs
  • Blocklisted process makes network request 21 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\invoice-wsl.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\invoice-wsl.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice-wsl.js
    Filesize

    187KB

    MD5

    bc0356063536ebe0867a97a1965a0f52

    SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

    SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

    SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice-wsl.js
    Filesize

    187KB

    MD5

    bc0356063536ebe0867a97a1965a0f52

    SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

    SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

    SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

    Download Submit

  • C:\Users\Admin\AppData\Roaming\invoice-wsl.js
    Filesize

    187KB

    MD5

    bc0356063536ebe0867a97a1965a0f52

    SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

    SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

    SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

    Download Submit