wshrat | c6b1a76af1ca382029f3d9568863f82257518852812aeeca06da4b0afecdf100

Analysis

max time kernel
110s
max time network
127s
platform
windows10-1703_x64
resource
win10-20240221-es
resource tags

arch:x64arch:x86image:win10-20240221-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
07-03-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ujcqhq.js
Size

222KB
MD5

28a74216e1c944f071b25958d81ec47c
SHA1

ae7013cf61337b4b7555c935a0113d08b50ffd00
SHA256

c6b1a76af1ca382029f3d9568863f82257518852812aeeca06da4b0afecdf100
SHA512

93ab441859afcd8594c64a7c65c0d4a0ca3e5a9a88c9347ebaa919853f0df9ca46be77638041b7107d311e9a670328ca8801e1f117d47d03c491a0e7b3cd770f
SSDEEP

6144:tpDxmeXigeXqd1LdkiOBvRafRHFPAeRnAklgF2GuuZD:T7d1LjOJcfdTtl029q

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ab17-5.dat	family_wshrat

Blocklisted process makes network request 13 IoCs

flow	pid	Process
2	216	wscript.exe
5	216	wscript.exe
7	216	wscript.exe
8	216	wscript.exe
9	216	wscript.exe
10	216	wscript.exe
11	216	wscript.exe
15	216	wscript.exe
16	216	wscript.exe
17	216	wscript.exe
18	216	wscript.exe
19	216	wscript.exe
20	216	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ujcqhq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ujcqhq.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\ujcqhq = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcqhq.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujcqhq = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcqhq.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ujcqhq.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ujcqhq.js

Filesize
222KB

MD5
28a74216e1c944f071b25958d81ec47c

SHA1
ae7013cf61337b4b7555c935a0113d08b50ffd00

SHA256
c6b1a76af1ca382029f3d9568863f82257518852812aeeca06da4b0afecdf100

SHA512
93ab441859afcd8594c64a7c65c0d4a0ca3e5a9a88c9347ebaa919853f0df9ca46be77638041b7107d311e9a670328ca8801e1f117d47d03c491a0e7b3cd770f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads