wshrat | 06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637

General

Target

ORDER-2436788-EQU.js
Size

7KB
MD5

c6c65e265e4022e202e8c7f5e64271e9
SHA1

2f6dc1c70380f2c98fea5f98cdf77a17046dfb67
SHA256

06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637
SHA512

22a2159efe41cdd86b883b24264fcd6c713a120c0a197cc9ccf2b33d1d79773fd3dfbb1ff1f3dbc782e429c845b33f46bea459d8c6ccd67aabfe669061409dae
SSDEEP

96:9HuztrQH4tdyUCF4Z4mU44WCFvrUftdyUCFAKzoRfzuzhdfzuzMDDS7KTLttdyUJ:+8sNLOSBJ13DJxkRW2g0PNL1NWPNG3N

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
5	3356	wscript.exe
7	3356	wscript.exe
9	3356	wscript.exe
29	2312	WScript.exe
32	2312	WScript.exe
33	2312	WScript.exe
42	2312	WScript.exe
54	2312	WScript.exe
55	2312	WScript.exe
56	2312	WScript.exe
57	2312	WScript.exe
59	2312	WScript.exe
64	2312	WScript.exe
65	2312	WScript.exe
66	2312	WScript.exe
68	2312	WScript.exe
69	2312	WScript.exe
72	2312	WScript.exe
73	2312	WScript.exe
74	2312	WScript.exe
75	2312	WScript.exe
77	2312	WScript.exe
78	2312	WScript.exe
79	2312	WScript.exe
80	2312	WScript.exe
81	2312	WScript.exe
82	2312	WScript.exe
85	2312	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCTACP.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCTACP.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZCTACP = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCTACP.js'"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZCTACP = "wscript.exe //B 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCTACP.js'"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	wscript.exe

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	54	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	55	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	56	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	74	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	78	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	57	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	59	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	64	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	66	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	77	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	79	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	29	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	32	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	42	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	68	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	69	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	73	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	81	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	33	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	65	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	72	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	75	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	80	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript
HTTP User-Agent header	82	WSHRAT\|E094E7CA\|LQHDAPZK\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 6/4/2024\|JavaScript

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2312	3356	wscript.exe	90
PID 3356 wrote to memory of 2312	3356	wscript.exe	90

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-2436788-EQU.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZCTACP.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZCTACP.js

Filesize
513KB

MD5
0f09ed2f0ae7ae609254c6e03b461853

SHA1
5dc0b640724e72a2d14abcb454044ce5ca87bd8c

SHA256
3c33fce4a2ff613eaf24f23b030e34d884c40eff5ee1313ea93dcc303fccfa74

SHA512
a019ef60dd971b9b50447a6b22a660fb2409b9cea39623f800bc18d6ae42a721e56ff0105b2da213c3ef4ed62b0b88ec282c317e6398c45e2b45429965eae8c8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads