wshrat | ea9cb59ea8cbd8d1d5f279d32aec457ad469e7e81b03d34d7c34e5cc52195aae

General

Target

Ref-23105_Payment_Slip.pdf.js
Size

7KB
MD5

d19a87919bbe11794fd20377182b5ea3
SHA1

dae311a5e72a0847636ca83c608048cab137fb6b
SHA256

ea9cb59ea8cbd8d1d5f279d32aec457ad469e7e81b03d34d7c34e5cc52195aae
SHA512

f2c49a869b8825b2b0de87a998fe60b4fcd4118c63413c03b23e3d78a6089c7e7d520227f8b52aaad66908d0d3f05cbc519a982a08cd41f662355008599ea23b
SSDEEP

192:4cvGDlrsAQBFbOUFjqpljw4YHpC6pl7n8hU+La+KAC4aEJUe5wedK:4GGDlrsVvFWvj3YHplpxV+LawC4aE2e2

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 30 IoCs

flow	pid	Process
8	4312	wscript.exe
14	4312	wscript.exe
16	4312	wscript.exe
37	5012	wscript.exe
45	5012	wscript.exe
52	5012	wscript.exe
53	5012	wscript.exe
54	5012	wscript.exe
62	5012	wscript.exe
69	5012	wscript.exe
70	5012	wscript.exe
71	5012	wscript.exe
72	5012	wscript.exe
73	5012	wscript.exe
77	5012	wscript.exe
82	5012	wscript.exe
84	5012	wscript.exe
85	5012	wscript.exe
89	5012	wscript.exe
90	5012	wscript.exe
91	5012	wscript.exe
92	5012	wscript.exe
103	5012	wscript.exe
104	5012	wscript.exe
105	5012	wscript.exe
106	5012	wscript.exe
107	5012	wscript.exe
108	5012	wscript.exe
111	5012	wscript.exe
114	5012	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	WScript.exe

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	71	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	37	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	108	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	111	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	92	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	103	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	72	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	104	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	53	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	114	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	106	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	107	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	52	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	54	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	62	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	89	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	45	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	105	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	85	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	91	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	73	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	77	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	84	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	90	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	69	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	70	WSHRAT\|084DE619\|SXUYPNET\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 4264	4312	wscript.exe	86
PID 4312 wrote to memory of 4264	4312	wscript.exe	86
PID 4264 wrote to memory of 3728	4264	WScript.exe	87
PID 4264 wrote to memory of 3728	4264	WScript.exe	87
PID 3728 wrote to memory of 5012	3728	WScript.exe	88
PID 3728 wrote to memory of 5012	3728	WScript.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref-23105_Payment_Slip.pdf.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RUMBKX.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fGxgS.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fGxgS.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RUMBKX.js

Filesize
51KB

MD5
9c334d578b33e9df286d5973198f7344

SHA1
01a85903712649d1f726b64213894742b219ea33

SHA256
69719809516edaab200680b7689e6c0c6541c9245f300babb5ee0a17abd82220

SHA512
8fbc79ed63a291d9601b942027789cff447f7ed89f8537ba481e67fcab2566fc905e91ff3ba31b80ded02c8b5de777a93d49597ff307db039e6b53b66ff15dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit
C:\Users\Admin\AppData\Roaming\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads