wshrat | ea9cb59ea8cbd8d1d5f279d32aec457ad469e7e81b03d34d7c34e5cc52195aae

General

Target

Ref-23105_Payment_Slip.pdf.js
Size

7KB
MD5

d19a87919bbe11794fd20377182b5ea3
SHA1

dae311a5e72a0847636ca83c608048cab137fb6b
SHA256

ea9cb59ea8cbd8d1d5f279d32aec457ad469e7e81b03d34d7c34e5cc52195aae
SHA512

f2c49a869b8825b2b0de87a998fe60b4fcd4118c63413c03b23e3d78a6089c7e7d520227f8b52aaad66908d0d3f05cbc519a982a08cd41f662355008599ea23b
SSDEEP

192:4cvGDlrsAQBFbOUFjqpljw4YHpC6pl7n8hU+La+KAC4aEJUe5wedK:4GGDlrsVvFWvj3YHplpxV+LawC4aE2e2

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
6	2020	wscript.exe
9	2020	wscript.exe
11	2020	wscript.exe
27	2252	wscript.exe
43	2252	wscript.exe
44	2252	wscript.exe
45	2252	wscript.exe
46	2252	wscript.exe
64	2252	wscript.exe
67	2252	wscript.exe
68	2252	wscript.exe
69	2252	wscript.exe
70	2252	wscript.exe
74	2252	wscript.exe
75	2252	wscript.exe
76	2252	wscript.exe
77	2252	wscript.exe
81	2252	wscript.exe
82	2252	wscript.exe
83	2252	wscript.exe
84	2252	wscript.exe
85	2252	wscript.exe
86	2252	wscript.exe
87	2252	wscript.exe
88	2252	wscript.exe
89	2252	wscript.exe
94	2252	wscript.exe
95	2252	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fGxgS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fGxgS.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	WScript.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	64	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	74	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	85	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	88	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	83	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	84	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	45	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	46	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	67	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	69	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	87	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	89	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	94	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	95	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	43	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	68	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	70	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	76	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	81	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	82	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	86	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	27	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	44	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	75	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript
HTTP User-Agent header	77	WSHRAT\|04600E5C\|HFPAJDPV\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2023\|JavaScript

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4052	2020	wscript.exe	83
PID 2020 wrote to memory of 4052	2020	wscript.exe	83
PID 4052 wrote to memory of 4176	4052	WScript.exe	84
PID 4052 wrote to memory of 4176	4052	WScript.exe	84
PID 4176 wrote to memory of 2252	4176	WScript.exe	86
PID 4176 wrote to memory of 2252	4176	WScript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref-23105_Payment_Slip.pdf.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RUMBKX.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fGxgS.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fGxgS.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RUMBKX.js

Filesize
51KB

MD5
9c334d578b33e9df286d5973198f7344

SHA1
01a85903712649d1f726b64213894742b219ea33

SHA256
69719809516edaab200680b7689e6c0c6541c9245f300babb5ee0a17abd82220

SHA512
8fbc79ed63a291d9601b942027789cff447f7ed89f8537ba481e67fcab2566fc905e91ff3ba31b80ded02c8b5de777a93d49597ff307db039e6b53b66ff15dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit
C:\Users\Admin\AppData\Roaming\fGxgS.js

Filesize
21KB

MD5
e9b60a0cf27c5e7308be72e6d1fd8ac4

SHA1
b72377fc96e1965ba136af9988e50ba10d9cea48

SHA256
6ea917b33aede59c617785f6abaa1299414e02e5e2408332c8e837d20f354aa0

SHA512
b768751cc1392cc1ff59a737c9ee8b3ca08f012665dd828c12efe4504117db39795008ee7a0eb4af3661db8330191c34e0e87fdbdaf7e878f7895e84c93237c2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads