Overview

overview

10

Static

static

1

ORDER-2436788-EQU.js

windows7-x64

10

ORDER-2436788-EQU.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2024 07:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-2436788-EQU.js

  • Size

    7KB

  • MD5

    c6c65e265e4022e202e8c7f5e64271e9

  • SHA1

    2f6dc1c70380f2c98fea5f98cdf77a17046dfb67

  • SHA256

    06b85304eb7d9ccb2285b4687e69b4cdf033183ee2d67c7559256ab1e5617637

  • SHA512

    22a2159efe41cdd86b883b24264fcd6c713a120c0a197cc9ccf2b33d1d79773fd3dfbb1ff1f3dbc782e429c845b33f46bea459d8c6ccd67aabfe669061409dae

  • SSDEEP

    96:9HuztrQH4tdyUCF4Z4mU44WCFvrUftdyUCFAKzoRfzuzhdfzuzMDDS7KTLttdyUJ:+8sNLOSBJ13DJxkRW2g0PNL1NWPNG3N

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 28 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Script User-Agent 25 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-2436788-EQU.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZCTACP.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ZCTACP.js
    Filesize

    513KB

    MD5

    0f09ed2f0ae7ae609254c6e03b461853

    SHA1

    5dc0b640724e72a2d14abcb454044ce5ca87bd8c

    SHA256

    3c33fce4a2ff613eaf24f23b030e34d884c40eff5ee1313ea93dcc303fccfa74

    SHA512

    a019ef60dd971b9b50447a6b22a660fb2409b9cea39623f800bc18d6ae42a721e56ff0105b2da213c3ef4ed62b0b88ec282c317e6398c45e2b45429965eae8c8

    Download Submit