wshrat | 5e97f6fda0b360ee80bbf174a7fd063a3916c577d3e98d4b05024ef3dd304c51

General

Target

Documento.PDF.js
Size

673KB
MD5

6cfadcba2b7a883a4466a8def0e2b446
SHA1

f2680fb39456133b5e034a8642d32c0682ee5f1f
SHA256

85e41bab0ec97c8110d96123d9c0d0c3431dbe4b388f5695baf5221e9d736718
SHA512

d0ca442e9b56a4cad02d51320d63c193c54c7ee1c9aa6146a0ca099d31cebacf70878142cc140244b38b58122f6da577888310ce236cb3db142b2550eeedaa64
SSDEEP

1536:lRxRZ4C5xLSYmOL0hQr8uz3PdkLjNrHBbNHSNL9UL5KT6nsQjkB:h3PdkLjNrhbNHSNLEsYE

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://trabajovalle2019.duckdns.org:2040

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 20 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	25	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	7	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	15	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	17	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	12	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	24	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	28	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	13	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	21	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	23	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	27	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	29	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	9	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	11	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	16	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	19	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|54024A6F\|VTILVGXH\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Documento.PDF.js
1⤵
- Drops startup file
- Adds Run key to start application
PID:2968
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento.PDF.js"
  2⤵
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Documento.PDF.js

Filesize
70KB

MD5
e420c51b00d93146f3da845d37c0f11d

SHA1
257db0dc0320e78ee49ed66c42869904234051fc

SHA256
464b31f5d27217a07cff2eb5baf864c2d9ca43a17dcc982d2aae32a00ad731d8

SHA512
d682aaca7b5a7bc4a1f65d6cb086f86e076887477b2ae16b0d0589af9e87be913ff9a0de14c805941a9e25830ad8c9974bb8d1ff2cfb72e686e0e2bc6ed2d264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js

Filesize
33KB

MD5
7749134f9db4acd4a6908fcf5bb9c8c3

SHA1
489c00e1b2f262773d72fbe9f8754803e3ceebbf

SHA256
96de0eeb4cb17fcc684944e06ae7f6e1198c10fe088e5b507a1b56e79c29334e

SHA512
727e7092f4aabc65a53298d3af0707702d0bedb78c1ffe73e46ca8f2c879d6e39cb3aa67b955b50dfe1a9c103efcd272971717bd5530a8a581c979901fc95052

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js

Filesize
1KB

MD5
11c18265c24dac291cca46dfbf6ba9cb

SHA1
11d50efefe504445e216d0ba23d3e74fddddc582

SHA256
5cd7a13d8875c16dd8e02b80c35c112e40ac1b95f52d15d899cd3f44d26c5995

SHA512
eb64e0b4cfc689ed66a3baf04bea9be51149385fdd8822c7223bf393a718e9e4fdec9782f74ecafa3b3a13d292d2941b850a7764400b373f36ce47132030656e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads