wshrat | 5e97f6fda0b360ee80bbf174a7fd063a3916c577d3e98d4b05024ef3dd304c51

General

Target

Documento.PDF.js
Size

673KB
MD5

6cfadcba2b7a883a4466a8def0e2b446
SHA1

f2680fb39456133b5e034a8642d32c0682ee5f1f
SHA256

85e41bab0ec97c8110d96123d9c0d0c3431dbe4b388f5695baf5221e9d736718
SHA512

d0ca442e9b56a4cad02d51320d63c193c54c7ee1c9aa6146a0ca099d31cebacf70878142cc140244b38b58122f6da577888310ce236cb3db142b2550eeedaa64
SSDEEP

1536:lRxRZ4C5xLSYmOL0hQr8uz3PdkLjNrHBbNHSNL9UL5KT6nsQjkB:h3PdkLjNrhbNHSNLEsYE

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://trabajovalle2019.duckdns.org:2040

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 23 IoCs

flow	pid	Process
13	2324	wscript.exe
17	2324	wscript.exe
32	2324	wscript.exe
39	2324	wscript.exe
47	2324	wscript.exe
49	2324	wscript.exe
61	2324	wscript.exe
74	2324	wscript.exe
80	2324	wscript.exe
85	2324	wscript.exe
95	2324	wscript.exe
126	2324	wscript.exe
135	2324	wscript.exe
150	2324	wscript.exe
165	2324	wscript.exe
180	2324	wscript.exe
190	2324	wscript.exe
210	2324	wscript.exe
218	2324	wscript.exe
219	2324	wscript.exe
225	2324	wscript.exe
228	2324	wscript.exe
260	2324	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	47	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	95	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	165	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	39	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	61	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	74	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	218	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	228	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	49	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	80	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	85	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	126	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	135	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	180	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2324	1340	wscript.exe	24
PID 1340 wrote to memory of 2324	1340	wscript.exe	24

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Documento.PDF.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento.PDF.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Documento.PDF.js

Filesize
381KB

MD5
4d1f2271ea60c39942babd9a2af65f1e

SHA1
e1935bc6cf6a43dac6365436de58eaa45b28464e

SHA256
fb10f0fd675254b2ae49597ba58e9f87efdfde318eb7110262edcddea4c12295

SHA512
ee10ec3dc09a1bd23588cc5aceee5cfeab4f66f5f8678df6d5fbc1c6657b2ca4a832f191dd2bea1cc2d397e89b93659ca0a4a9881457fc9cb3e388afd73f41c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js

Filesize
673KB

MD5
6cfadcba2b7a883a4466a8def0e2b446

SHA1
f2680fb39456133b5e034a8642d32c0682ee5f1f

SHA256
85e41bab0ec97c8110d96123d9c0d0c3431dbe4b388f5695baf5221e9d736718

SHA512
d0ca442e9b56a4cad02d51320d63c193c54c7ee1c9aa6146a0ca099d31cebacf70878142cc140244b38b58122f6da577888310ce236cb3db142b2550eeedaa64

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads