wshrat | e3908fd94abd2cda691d19eaeaec4bd07c6199d20e26359d3e10c0dfd26010e8

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
29-11-2023 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新指令.js
Size

953KB
MD5

21c25960399a73a630e1a4b8300d811c
SHA1

86152daa4a7edfd28f8a3f3083c804204fce7033
SHA256

f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0
SHA512

7f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff
SSDEEP

6144:XQ7Ai2LEudj0YJ404Lb2Hqoivl0WX1u4O9uziIBEJtB8ezLcbtSBYu3FC+ammFVV:gag

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://snk2333.duckdns.org:47471

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 33 IoCs

flow	pid	Process
4	2676	wscript.exe
6	2676	wscript.exe
8	2676	wscript.exe
9	2676	wscript.exe
10	2676	wscript.exe
12	2676	wscript.exe
13	2676	wscript.exe
14	2676	wscript.exe
15	2676	wscript.exe
16	2676	wscript.exe
17	2676	wscript.exe
18	2676	wscript.exe
19	2676	wscript.exe
20	2676	wscript.exe
21	2676	wscript.exe
22	2676	wscript.exe
23	2676	wscript.exe
24	2676	wscript.exe
25	2676	wscript.exe
26	2676	wscript.exe
28	2676	wscript.exe
29	2676	wscript.exe
30	2676	wscript.exe
32	2676	wscript.exe
33	2676	wscript.exe
34	2676	wscript.exe
36	2676	wscript.exe
37	2676	wscript.exe
38	2676	wscript.exe
40	2676	wscript.exe
41	2676	wscript.exe
42	2676	wscript.exe
44	2676	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\新指令.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\新指令.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 31 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	6	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	14	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	16	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	20	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	30	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	40	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	15	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	19	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	38	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	9	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	32	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	41	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	10	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	22	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	23	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	36	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	44	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	24	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	42	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	33	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	8	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	13	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	17	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	18	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	21	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	28	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	25	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	26	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	34	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands
HTTP User-Agent header	37	WSHRAT\|68FE7070\|PTZSFKIF\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 29/11/2023\|JavaScript-v3.4\|NL:The Netherlands

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2676	1708	wscript.exe	29
PID 1708 wrote to memory of 2676	1708	wscript.exe	29
PID 1708 wrote to memory of 2676	1708	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\新指令.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\新指令.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\新指令.js

Filesize
953KB

MD5
21c25960399a73a630e1a4b8300d811c

SHA1
86152daa4a7edfd28f8a3f3083c804204fce7033

SHA256
f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0

SHA512
7f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\新指令.js

Filesize
953KB

MD5
21c25960399a73a630e1a4b8300d811c

SHA1
86152daa4a7edfd28f8a3f3083c804204fce7033

SHA256
f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0

SHA512
7f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff

Download Submit
C:\Users\Admin\AppData\Roaming\新指令.js

Filesize
953KB

MD5
21c25960399a73a630e1a4b8300d811c

SHA1
86152daa4a7edfd28f8a3f3083c804204fce7033

SHA256
f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0

SHA512
7f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads