wshrat | 230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7

General

Target

de80ddaf900379871f2bab20d64da027.jar
Size

646KB
MD5

de80ddaf900379871f2bab20d64da027
SHA1

22dbcdac16ba7ced8816a60040eb18a6246ae41a
SHA256

230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7
SHA512

ca997731ef7bb4db84bf1bbde7aff87520e52491ee85721351fd722421f05ac95795515c4d0d3620d77b9b106178a6c930d15d51333a54710ee3aec73a298ce5
SSDEEP

12288:1vRUyXewlgFEanFjj+SpBw6tFZmAT28Al/VFbdOXQW54O:1v/Xb6Djj+SpBwuFT28yLpSQWn

Score

10^/10

wshrat discovery persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://unknownsoft.duckdns.org:7755

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 16 IoCs

flow	pid	Process
10	4152	WScript.exe
12	4152	WScript.exe
13	4152	WScript.exe
20	4152	WScript.exe
43	4152	WScript.exe
68	4152	WScript.exe
76	4152	WScript.exe
83	4152	WScript.exe
84	4152	WScript.exe
85	4152	WScript.exe
89	4152	WScript.exe
91	4152	WScript.exe
92	4152	WScript.exe
93	4152	WScript.exe
94	4152	WScript.exe
95	4152	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgGRJNPSpg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgGRJNPSpg.js	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3768	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgGRJNPSpg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fgGRJNPSpg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgGRJNPSpg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\fgGRJNPSpg.js\""	WScript.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	wscript.exe

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	93	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	10	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	83	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	85	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	94	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	95	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	12	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	68	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	84	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	89	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	43	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	76	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	91	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	92	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3
HTTP User-Agent header	20	WSHRAT\|88B04596\|MKDQUQPQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2024\|JavaScript-v1.3

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4688	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 3768	4844	java.exe	91
PID 4844 wrote to memory of 3768	4844	java.exe	91
PID 4844 wrote to memory of 3184	4844	java.exe	93
PID 4844 wrote to memory of 3184	4844	java.exe	93
PID 3184 wrote to memory of 4152	3184	wscript.exe	95
PID 3184 wrote to memory of 4152	3184	wscript.exe	95
PID 3184 wrote to memory of 4568	3184	wscript.exe	96
PID 3184 wrote to memory of 4568	3184	wscript.exe	96
PID 4568 wrote to memory of 4688	4568	javaw.exe	98
PID 4568 wrote to memory of 4688	4568	javaw.exe	98

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\de80ddaf900379871f2bab20d64da027.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3768
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\nhmwnazhun.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fgGRJNPSpg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:4152
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bdimvitvxi.txt"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.232739149613286467459103372022947470.class
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c3bad003c24a28000f1ac1dd25217e6f

SHA1
80b064bed03e4c635ee945d819d98ce783756a11

SHA256
55afb6083a703b5b43ca3935f75298049c628d85a3a808778a57f5149eebd0f6

SHA512
1016ada909e7156d7bd7f19fe997d8f5b0f58dbd9b44e426db06cd21faf247bc9ecc5f7563f96f07a4df567cde4269a32faee3aa9318a2cafa407e664a7ed471

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b9fc9526dc32522be4eea31d96b56a50

SHA1
b8e81df25f67b9ba29363d3501a59e1dc402bf8b

SHA256
2f9622dc85031b7a414e1e4968a157467cf64e98cf798c3625e9b63946954226

SHA512
10ea41fa211b6d4954383f066c9620663106c3908631bb96ba206b9d38b07b1e01195eb2fa35eed2700279a1e2b7520370e3b4b0fc796e916ecd992b842d2d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.232739149613286467459103372022947470.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3045580317-3728985860-206385570-1000\83aa4cc77f591dfc2374580bbd95f6ba_2d983147-f9f1-498d-be7e-1997eada874a

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\bdimvitvxi.txt

Filesize
473KB

MD5
904c4cb027c6dbeac8d2850cdb0fa941

SHA1
1ed01eadeb06170146bcaf2dfe10c89f44efbb81

SHA256
60020b81cd86c6a9b01c75e5cd3032f7ece56e9c01f006baf54ede596c3358f2

SHA512
71de2348cac9e8c27b27ae29467ffceaef9c222aecfd12a577253c3cc50303707245a19270c810ada014ac33f250402b5af6af48b3190ed0a9a8fb366bb3f937

Download Submit
C:\Users\Admin\AppData\Roaming\fgGRJNPSpg.js

Filesize
38KB

MD5
815b5c008f8b2bb67507a6068464a403

SHA1
b7f223f0a7a2bf727f644dec738f7906c92bcb71

SHA256
35975e25a3c6fb69dca3058471d3007044b3201bd92a100af9991662d318fca9

SHA512
d15017f1074bc72ad37abd24a54222f8251942b94f30f75ec428163c44a9878cd859ae1b857536bb6810a9b5bbfd5a5b4c8092b4963b4ad8c32ac64c977fe889

Download Submit
C:\Users\Admin\nhmwnazhun.js

Filesize
984KB

MD5
a4c65358fa348d0bc87fbbb45678704a

SHA1
98bb903b4f7cb38d403a8d3e3113441bd0f35f48

SHA256
57aede656aa44b33d49b2ff259740e7c3ac4637e5b58c5da9a83266e68cc41e4

SHA512
f5ab2692aa8dfd9395377ffcff3670655a92ab536c3d26d1fec37ae7fb5ed303250effa81f9853352f4224d8ff28873f92271424f21458c66c523240c2d1bced

Download Submit
memory/3184-16-0x00007FFEEE1D0000-0x00007FFEEEB71000-memory.dmp

Filesize
9.6MB

Download
memory/3184-18-0x000001C8F1CA0000-0x000001C8F1CB0000-memory.dmp

Filesize
64KB

Download
memory/3184-30-0x00007FFEEE1D0000-0x00007FFEEEB71000-memory.dmp

Filesize
9.6MB

Download
memory/3184-17-0x00007FFEEE1D0000-0x00007FFEEEB71000-memory.dmp

Filesize
9.6MB

Download
memory/4152-29-0x00007FFEEE1D0000-0x00007FFEEEB71000-memory.dmp

Filesize
9.6MB

Download
memory/4152-32-0x000001FB36DA0000-0x000001FB36DB0000-memory.dmp

Filesize
64KB

Download
memory/4152-99-0x00007FFEEE1D0000-0x00007FFEEEB71000-memory.dmp

Filesize
9.6MB

Download
memory/4152-100-0x000001FB36DA0000-0x000001FB36DB0000-memory.dmp

Filesize
64KB

Download
memory/4568-41-0x000001C7AC620000-0x000001C7AD620000-memory.dmp

Filesize
16.0MB

Download
memory/4568-48-0x000001C7AAD60000-0x000001C7AAD61000-memory.dmp

Filesize
4KB

Download
memory/4568-49-0x000001C7AAD60000-0x000001C7AAD61000-memory.dmp

Filesize
4KB

Download
memory/4688-50-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4688-88-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4688-71-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4688-74-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4688-75-0x0000017CEAD20000-0x0000017CEAD21000-memory.dmp

Filesize
4KB

Download
memory/4688-81-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4688-85-0x0000017CEAD20000-0x0000017CEAD21000-memory.dmp

Filesize
4KB

Download
memory/4688-62-0x0000017CEAD20000-0x0000017CEAD21000-memory.dmp

Filesize
4KB

Download
memory/4688-92-0x0000017CEAD20000-0x0000017CEAD21000-memory.dmp

Filesize
4KB

Download
memory/4688-94-0x0000017CEC8C0000-0x0000017CEC8D0000-memory.dmp

Filesize
64KB

Download
memory/4688-95-0x0000017CEC8F0000-0x0000017CEC900000-memory.dmp

Filesize
64KB

Download
memory/4688-96-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4688-103-0x0000017CEC620000-0x0000017CED620000-memory.dmp

Filesize
16.0MB

Download
memory/4844-14-0x00000253A8700000-0x00000253A8701000-memory.dmp

Filesize
4KB

Download
memory/4844-4-0x00000253A9D40000-0x00000253AAD40000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads