wshrat | 230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7

General

Target

de80ddaf900379871f2bab20d64da027.jar
Size

646KB
MD5

de80ddaf900379871f2bab20d64da027
SHA1

22dbcdac16ba7ced8816a60040eb18a6246ae41a
SHA256

230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7
SHA512

ca997731ef7bb4db84bf1bbde7aff87520e52491ee85721351fd722421f05ac95795515c4d0d3620d77b9b106178a6c930d15d51333a54710ee3aec73a298ce5
SSDEEP

12288:1vRUyXewlgFEanFjj+SpBw6tFZmAT28Al/VFbdOXQW54O:1v/Xb6Djj+SpBwuFT28yLpSQWn

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://unknownsoft.duckdns.org:7755

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 19 IoCs

flow	pid	Process
5	2744	WScript.exe
6	2744	WScript.exe
7	2744	WScript.exe
9	2744	WScript.exe
10	2744	WScript.exe
11	2744	WScript.exe
13	2744	WScript.exe
14	2744	WScript.exe
15	2744	WScript.exe
17	2744	WScript.exe
18	2744	WScript.exe
19	2744	WScript.exe
21	2744	WScript.exe
22	2744	WScript.exe
23	2744	WScript.exe
25	2744	WScript.exe
26	2744	WScript.exe
27	2744	WScript.exe
29	2744	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgGRJNPSpg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgGRJNPSpg.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgGRJNPSpg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fgGRJNPSpg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgGRJNPSpg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fgGRJNPSpg.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 19 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	9	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	14	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	19	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	26	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	5	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	6	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	11	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	17	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	18	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	23	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	15	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	21	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	22	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	25	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	29	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	10	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	13	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	27	WSHRAT\|688E6B44\|HKULBIBU\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2652	2380	java.exe	29
PID 2380 wrote to memory of 2652	2380	java.exe	29
PID 2380 wrote to memory of 2652	2380	java.exe	29
PID 2652 wrote to memory of 2744	2652	wscript.exe	30
PID 2652 wrote to memory of 2744	2652	wscript.exe	30
PID 2652 wrote to memory of 2744	2652	wscript.exe	30
PID 2652 wrote to memory of 2712	2652	wscript.exe	31
PID 2652 wrote to memory of 2712	2652	wscript.exe	31
PID 2652 wrote to memory of 2712	2652	wscript.exe	31

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\de80ddaf900379871f2bab20d64da027.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\nhmwnazhun.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fgGRJNPSpg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2744
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dilxzqk.txt"
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dilxzqk.txt

Filesize
473KB

MD5
904c4cb027c6dbeac8d2850cdb0fa941

SHA1
1ed01eadeb06170146bcaf2dfe10c89f44efbb81

SHA256
60020b81cd86c6a9b01c75e5cd3032f7ece56e9c01f006baf54ede596c3358f2

SHA512
71de2348cac9e8c27b27ae29467ffceaef9c222aecfd12a577253c3cc50303707245a19270c810ada014ac33f250402b5af6af48b3190ed0a9a8fb366bb3f937

Download Submit
C:\Users\Admin\AppData\Roaming\fgGRJNPSpg.js

Filesize
38KB

MD5
815b5c008f8b2bb67507a6068464a403

SHA1
b7f223f0a7a2bf727f644dec738f7906c92bcb71

SHA256
35975e25a3c6fb69dca3058471d3007044b3201bd92a100af9991662d318fca9

SHA512
d15017f1074bc72ad37abd24a54222f8251942b94f30f75ec428163c44a9878cd859ae1b857536bb6810a9b5bbfd5a5b4c8092b4963b4ad8c32ac64c977fe889

Download Submit
C:\Users\Admin\nhmwnazhun.js

Filesize
984KB

MD5
a4c65358fa348d0bc87fbbb45678704a

SHA1
98bb903b4f7cb38d403a8d3e3113441bd0f35f48

SHA256
57aede656aa44b33d49b2ff259740e7c3ac4637e5b58c5da9a83266e68cc41e4

SHA512
f5ab2692aa8dfd9395377ffcff3670655a92ab536c3d26d1fec37ae7fb5ed303250effa81f9853352f4224d8ff28873f92271424f21458c66c523240c2d1bced

Download Submit
memory/2380-6-0x00000000023F0000-0x00000000053F0000-memory.dmp

Filesize
48.0MB

Download
memory/2380-12-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/2652-18-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-20-0x0000000006780000-0x0000000006800000-memory.dmp

Filesize
512KB

Download
memory/2652-22-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-26-0x00000000057F0000-0x0000000005870000-memory.dmp

Filesize
512KB

Download
memory/2744-25-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-31-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-32-0x00000000057F0000-0x0000000005870000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads