wshrat | 06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637

General

Target

ORDER-2436788-EQU.js
Size

7KB
MD5

c6c65e265e4022e202e8c7f5e64271e9
SHA1

2f6dc1c70380f2c98fea5f98cdf77a17046dfb67
SHA256

06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637
SHA512

22a2159efe41cdd86b883b24264fcd6c713a120c0a197cc9ccf2b33d1d79773fd3dfbb1ff1f3dbc782e429c845b33f46bea459d8c6ccd67aabfe669061409dae
SSDEEP

96:9HuztrQH4tdyUCF4Z4mU44WCFvrUftdyUCFAKzoRfzuzhdfzuzMDDS7KTLttdyUJ:+8sNLOSBJ13DJxkRW2g0PNL1NWPNG3N

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

flow	pid	Process
4	352	wscript.exe
7	352	wscript.exe
10	2552	WScript.exe
11	2552	WScript.exe
12	2552	WScript.exe
14	2552	WScript.exe
17	2552	WScript.exe
18	2552	WScript.exe
20	2552	WScript.exe
21	2552	WScript.exe
22	2552	WScript.exe
24	2552	WScript.exe
25	2552	WScript.exe
26	2552	WScript.exe
28	2552	WScript.exe
29	2552	WScript.exe
30	2552	WScript.exe
32	2552	WScript.exe
33	2552	WScript.exe
34	2552	WScript.exe
36	2552	WScript.exe
37	2552	WScript.exe
38	2552	WScript.exe
40	2552	WScript.exe
41	2552	WScript.exe
42	2552	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCTACP.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCTACP.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZCTACP = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCTACP.js'"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZCTACP = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCTACP.js'"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	25	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	26	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	36	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	37	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	38	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	42	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	10	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	17	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	18	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	21	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	22	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	28	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	30	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	32	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	12	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	33	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	34	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	24	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	20	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	29	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	40	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	41	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	14	WSHRAT\|48DFC225\|GHPZRGFC\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 6/4/2024\|JavaScript

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2552	352	wscript.exe	28
PID 352 wrote to memory of 2552	352	wscript.exe	28
PID 352 wrote to memory of 2552	352	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-2436788-EQU.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZCTACP.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZCTACP.js

Filesize
513KB

MD5
0f09ed2f0ae7ae609254c6e03b461853

SHA1
5dc0b640724e72a2d14abcb454044ce5ca87bd8c

SHA256
3c33fce4a2ff613eaf24f23b030e34d884c40eff5ee1313ea93dcc303fccfa74

SHA512
a019ef60dd971b9b50447a6b22a660fb2409b9cea39623f800bc18d6ae42a721e56ff0105b2da213c3ef4ed62b0b88ec282c317e6398c45e2b45429965eae8c8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads