Overview

overview

10

Static

static

10

invoice-wsl.js

windows7-x64

10

invoice-wsl.js

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2023 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice-wsl.js

  • Size

    187KB

  • MD5

    bc0356063536ebe0867a97a1965a0f52

  • SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

  • SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

  • SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

  • SSDEEP

    3072:2aeGK/6dbIpklgVDSxGfmuZRTFBTEsSQ0bamOZkvEzzbURC8:2aeGKgAklgF2GuuZ7auMTFRC8

Score
10/10
wshratpersistencetrojan

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 3 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\invoice-wsl.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\invoice-wsl.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice-wsl.js
    Filesize

    187KB

    MD5

    bc0356063536ebe0867a97a1965a0f52

    SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

    SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

    SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice-wsl.js
    Filesize

    187KB

    MD5

    bc0356063536ebe0867a97a1965a0f52

    SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

    SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

    SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

    Download Submit

  • C:\Users\Admin\AppData\Roaming\invoice-wsl.js
    Filesize

    187KB

    MD5

    bc0356063536ebe0867a97a1965a0f52

    SHA1

    f127953be621382ff50a37ebecef4d17bb3cd7d2

    SHA256

    197e07455f8920039c0a30b9c95f847e02d29c9d7bd50488a350b53e747ba9c5

    SHA512

    40f1d16054d103b4f9be044c9cb34f73fb042a62ea29e205f13a4f0b2565dbaa3e9d7954e9d288a748a125495891c2ed2f19104e5fc1353c745879e16ca02565

    Download Submit