wshrat | 6be098d11f45a26ca51124867301356d56adf5a4901f1710ae34de450d802e67

General

Target

proof of payment.js
Size

909KB
MD5

f27847fc20b30026c51e0af483b9615b
SHA1

ca1efe5d18ed26eb754eea44e489139c6a99784e
SHA256

85047c1d66a2f4fd7f179cf957b27ac2c8925c02d9e1ac6d2f47fd925ed85e6f
SHA512

d639f9caf639f7ddc683c3d6d3baa9d5d238ab9ba2267cad015902ac31462d3b23a72d5f806a64a1b258088df5ced2d240e6f617dfbc3022ff5bebd8e482006e
SSDEEP

6144:MQY6OtQp/eDJ+YQOd5NxqbQ83MJR5Sd6CLvx7IfiOiRYAZ7dFuylY4LDWnMn4Z8X:Xx

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 29 IoCs

flow	pid	Process
7	4092	wscript.exe
9	4092	wscript.exe
30	4092	wscript.exe
37	4092	wscript.exe
38	4092	wscript.exe
39	4092	wscript.exe
45	4092	wscript.exe
59	4092	wscript.exe
63	4092	wscript.exe
64	4092	wscript.exe
65	4092	wscript.exe
66	4092	wscript.exe
68	4092	wscript.exe
69	4092	wscript.exe
70	4092	wscript.exe
71	4092	wscript.exe
72	4092	wscript.exe
76	4092	wscript.exe
78	4092	wscript.exe
79	4092	wscript.exe
80	4092	wscript.exe
81	4092	wscript.exe
82	4092	wscript.exe
83	4092	wscript.exe
84	4092	wscript.exe
85	4092	wscript.exe
86	4092	wscript.exe
91	4092	wscript.exe
92	4092	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 28 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	39	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	70	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	30	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	65	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	66	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	82	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	86	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	91	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	92	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	37	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	68	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	69	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	79	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	63	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	80	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	85	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	71	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	83	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	64	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	45	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	59	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	78	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	84	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/9/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4092	4308	wscript.exe	84
PID 4308 wrote to memory of 4092	4308	wscript.exe	84

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\proof of payment.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js

Filesize
64KB

MD5
0aca373a4334eb21d089b664251e9b76

SHA1
40e5344f05a5371e65441db372dfaac96059c6e2

SHA256
36a1d5cf8483538ccd9e4812917be6a8a6937ce01f0fe7ec7fcf0b849e84a09a

SHA512
0ae65730d66572aa70bf8e36a1d36de91f4ad54cd86b305aa70f8beb8f1a3b72d6af9e9ee672f817732ab9de482df8dc3dd3490de5666d4a2f3036b1d8ec9290

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js

Filesize
909KB

MD5
f27847fc20b30026c51e0af483b9615b

SHA1
ca1efe5d18ed26eb754eea44e489139c6a99784e

SHA256
85047c1d66a2f4fd7f179cf957b27ac2c8925c02d9e1ac6d2f47fd925ed85e6f

SHA512
d639f9caf639f7ddc683c3d6d3baa9d5d238ab9ba2267cad015902ac31462d3b23a72d5f806a64a1b258088df5ced2d240e6f617dfbc3022ff5bebd8e482006e

Download Submit
C:\Users\Admin\proof of payment.js

Filesize
909KB

MD5
f27847fc20b30026c51e0af483b9615b

SHA1
ca1efe5d18ed26eb754eea44e489139c6a99784e

SHA256
85047c1d66a2f4fd7f179cf957b27ac2c8925c02d9e1ac6d2f47fd925ed85e6f

SHA512
d639f9caf639f7ddc683c3d6d3baa9d5d238ab9ba2267cad015902ac31462d3b23a72d5f806a64a1b258088df5ced2d240e6f617dfbc3022ff5bebd8e482006e

Download Submit

Analysis

Sharing