wshrat | 197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

General

Target

197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js
Size

187KB
MD5

bc0356063536ebe0867a97a1965a0f52
SHA1

f127953be621382ff50a37ebecef4d17bb3cd7d2
SHA256

197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5
SHA512

40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565
SSDEEP

3072:2aeGK/6dbIpklgVDSxGfmuZRTFBTEsSQ0bamOZkvEzzbURC8:2aeGKgAklgF2GuuZ7auMTFRC8

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023247-3.dat	family_wshrat
behavioral2/files/0x000700000002324a-6.dat	family_wshrat

Blocklisted process makes network request 21 IoCs

flow	pid	Process
11	1332	wscript.exe
12	1332	wscript.exe
38	1332	wscript.exe
48	1332	wscript.exe
51	1332	wscript.exe
63	1332	wscript.exe
64	1332	wscript.exe
65	1332	wscript.exe
66	1332	wscript.exe
67	1332	wscript.exe
68	1332	wscript.exe
69	1332	wscript.exe
70	1332	wscript.exe
71	1332	wscript.exe
72	1332	wscript.exe
73	1332	wscript.exe
74	1332	wscript.exe
75	1332	wscript.exe
76	1332	wscript.exe
79	1332	wscript.exe
81	1332	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1332	2484	wscript.exe	86
PID 2484 wrote to memory of 1332	2484	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js

Filesize
187KB

MD5
bc0356063536ebe0867a97a1965a0f52

SHA1
f127953be621382ff50a37ebecef4d17bb3cd7d2

SHA256
197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

SHA512
40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js

Filesize
64KB

MD5
753e22efd647e793b113a822d6e090b4

SHA1
cf4210942312ad3f5a88d4f90bd6c7c584f63f5f

SHA256
15925f05e02a1a7dfaeb45db9dfeb75c434959397be7370bd7c8341cb7a2316d

SHA512
cf9e9f8c603ca717d0d1ae876cc867381ede05e40f47e3682e5429630808d0b2b336858c3fd9fc73e8b05756d4a11a15b350b02280a4e0c5c2aa1cab5eb5de4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5_JC.js

Filesize
187KB

MD5
bc0356063536ebe0867a97a1965a0f52

SHA1
f127953be621382ff50a37ebecef4d17bb3cd7d2

SHA256
197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

SHA512
40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads