wshrat | a183659739697afae7abb37a3946c1ffdb66500c5ae3bc9b874c7f2e6ab7d753

General

Target

2.js
Size

412KB
MD5

995afabc172c24b0b7388b40a6efa29d
SHA1

1f0576d6d3175ca5dffa12d172d2d416f53a32f3
SHA256

8ecb9949938b6e6d118e51428eaf609cc0cf5e0f0c3cbc9e5343104bc1dea6e7
SHA512

7b084b76fcd5d68a6cec804e93963c0960b8059c27f77bbe0b4e0c2ea2dc0736c5dc90deb5e9b5a8831fb604907f3616594be7021d2a07fee1998bf673dcc040
SSDEEP

3072:UGuaAxKTzprcjyg1tJ3SqSmVdAbK1vTIh/BScFOaTB3crTmVyoj/ZaahJUE77xKf:6OZXDZ1uh7AXnzp4zp3fIrBq7

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://trabajovalle2019.duckdns.org:2040

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 20 IoCs

flow	pid	Process
27	1884	wscript.exe
46	1884	wscript.exe
55	1884	wscript.exe
58	1884	wscript.exe
62	1884	wscript.exe
64	1884	wscript.exe
69	1884	wscript.exe
70	1884	wscript.exe
75	1884	wscript.exe
82	1884	wscript.exe
86	1884	wscript.exe
87	1884	wscript.exe
88	1884	wscript.exe
94	1884	wscript.exe
99	1884	wscript.exe
105	1884	wscript.exe
113	1884	wscript.exe
114	1884	wscript.exe
115	1884	wscript.exe
116	1884	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 18 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	87	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	94	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	105	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	115	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	55	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	75	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	62	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	113	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	99	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	46	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	70	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	86	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	114	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	58	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	64	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	88	WSHRAT\|2ED8715E\|NUPNSVML\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 1884	4452	wscript.exe	90
PID 4452 wrote to memory of 1884	4452	wscript.exe	90

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\2.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2.js

Filesize
412KB

MD5
995afabc172c24b0b7388b40a6efa29d

SHA1
1f0576d6d3175ca5dffa12d172d2d416f53a32f3

SHA256
8ecb9949938b6e6d118e51428eaf609cc0cf5e0f0c3cbc9e5343104bc1dea6e7

SHA512
7b084b76fcd5d68a6cec804e93963c0960b8059c27f77bbe0b4e0c2ea2dc0736c5dc90deb5e9b5a8831fb604907f3616594be7021d2a07fee1998bf673dcc040

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads