wshrat | 5e97f6fda0b360ee80bbf174a7fd063a3916c577d3e98d4b05024ef3dd304c51

General

Target

Documento.PDF.js
Size

673KB
MD5

6cfadcba2b7a883a4466a8def0e2b446
SHA1

f2680fb39456133b5e034a8642d32c0682ee5f1f
SHA256

85e41bab0ec97c8110d96123d9c0d0c3431dbe4b388f5695baf5221e9d736718
SHA512

d0ca442e9b56a4cad02d51320d63c193c54c7ee1c9aa6146a0ca099d31cebacf70878142cc140244b38b58122f6da577888310ce236cb3db142b2550eeedaa64
SSDEEP

1536:lRxRZ4C5xLSYmOL0hQr8uz3PdkLjNrHBbNHSNL9UL5KT6nsQjkB:h3PdkLjNrhbNHSNLEsYE

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://trabajovalle2019.duckdns.org:2040

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 22 IoCs

flow	pid	Process
4	2276	wscript.exe
27	2276	wscript.exe
37	2276	wscript.exe
39	2276	wscript.exe
54	2276	wscript.exe
60	2276	wscript.exe
62	2276	wscript.exe
63	2276	wscript.exe
68	2276	wscript.exe
75	2276	wscript.exe
82	2276	wscript.exe
96	2276	wscript.exe
100	2276	wscript.exe
110	2276	wscript.exe
118	2276	wscript.exe
128	2276	wscript.exe
150	2276	wscript.exe
172	2276	wscript.exe
182	2276	wscript.exe
191	2276	wscript.exe
210	2276	wscript.exe
219	2276	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento.PDF.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	118	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	68	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	96	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	60	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	62	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	75	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	82	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	150	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	27	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	39	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	110	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	37	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	63	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	128	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	54	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	100	WSHRAT\|0E224AB6\|AAKWQUEG\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/1/2024\|JavaScript-v2.0\|GB:United Kingdom

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2276	3904	wscript.exe	22
PID 3904 wrote to memory of 2276	3904	wscript.exe	22

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Documento.PDF.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento.PDF.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Documento.PDF.js

Filesize
72KB

MD5
e53a15ae68acce36bb5b2f1d4c032f26

SHA1
05c610549c99061922c4cf4b1347c4df1db9558a

SHA256
1d0b07a85235799d59a6fb6c7440ac69dd232f8257c1e766dd549cfa860a44cd

SHA512
41f88873a801b80bb83e2cec28ef1bdbf4263653d4658f3da3e485aaea86fbf18c3b6fd470e023f3e4392be4f2a064f867ea3efbd7598d8ce9bbfbb8512886e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js

Filesize
57KB

MD5
67ba90a3cc54f44ac86abf44c681ddd3

SHA1
1b437f56d4c87f9c066227a2f378805332f1abe7

SHA256
f865efffb9a01933649b37d79cb5bb7322b18f4a9264ac3e130b41a97f6d6e98

SHA512
b40b2b18e00baab43246b17b710d5d7e058824bb44dd54f10b27a0841ff84f4a474687426d19810c7b3afcd7bf66309b28f0b1c40f519741530cd1111fdc33c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento.PDF.js

Filesize
673KB

MD5
6cfadcba2b7a883a4466a8def0e2b446

SHA1
f2680fb39456133b5e034a8642d32c0682ee5f1f

SHA256
85e41bab0ec97c8110d96123d9c0d0c3431dbe4b388f5695baf5221e9d736718

SHA512
d0ca442e9b56a4cad02d51320d63c193c54c7ee1c9aa6146a0ca099d31cebacf70878142cc140244b38b58122f6da577888310ce236cb3db142b2550eeedaa64

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads