wshrat | febb058976fa7da37593ac4e0349c4ec36c7be0aab8e5189eef5f371e8b85202

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01052024_0641_ops.txt.js
Size

1.0MB
MD5

42daa7bdf868134ceab8d25811a002d4
SHA1

84a272ef955d083506ffcc5e26b3c31d534e6a3c
SHA256

febb058976fa7da37593ac4e0349c4ec36c7be0aab8e5189eef5f371e8b85202
SHA512

fce466ee3309c5e2f47120f01b723653a48fb92a10d32f4211eb671b61bfbbf875657ac034afa662b2e86942fbaa737146cb0a0a54d93376729b75e0f38841b4
SSDEEP

24576:91fVMfI63FPav4bmlaTKj+OosGdZIGoWg3eIjWbmXCWHYkH1uYTGDM:LfSfI63FPavibujHosGdGpBeIibmXCuR

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://masterokrwh.duckdns.org:7963

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 31 IoCs

flow	pid	Process
10	1280	wscript.exe
13	1280	wscript.exe
22	1280	wscript.exe
25	1280	wscript.exe
31	1280	wscript.exe
32	1280	wscript.exe
33	1280	wscript.exe
34	1280	wscript.exe
35	1280	wscript.exe
48	1280	wscript.exe
50	1280	wscript.exe
51	1280	wscript.exe
52	1280	wscript.exe
53	1280	wscript.exe
54	1280	wscript.exe
59	1280	wscript.exe
60	1280	wscript.exe
61	1280	wscript.exe
62	1280	wscript.exe
63	1280	wscript.exe
69	1280	wscript.exe
71	1280	wscript.exe
72	1280	wscript.exe
73	1280	wscript.exe
74	1280	wscript.exe
75	1280	wscript.exe
76	1280	wscript.exe
77	1280	wscript.exe
78	1280	wscript.exe
79	1280	wscript.exe
80	1280	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01052024_0641_ops.txt.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01052024_0641_ops.txt.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01052024_0641_ops = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01052024_0641_ops.txt.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01052024_0641_ops = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01052024_0641_ops.txt.js\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
13	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 30 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	59	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	78	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	62	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	35	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	61	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	51	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	53	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	75	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	25	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	71	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	72	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	48	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	33	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	50	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	54	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	79	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	34	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	73	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	74	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	80	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	60	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	63	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	76	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	77	WSHRAT\|64D1F064\|LLXDHEWC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\01052024_0641_ops.txt.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01052024_0641_ops.txt.js

Filesize
1.0MB

MD5
42daa7bdf868134ceab8d25811a002d4

SHA1
84a272ef955d083506ffcc5e26b3c31d534e6a3c

SHA256
febb058976fa7da37593ac4e0349c4ec36c7be0aab8e5189eef5f371e8b85202

SHA512
fce466ee3309c5e2f47120f01b723653a48fb92a10d32f4211eb671b61bfbbf875657ac034afa662b2e86942fbaa737146cb0a0a54d93376729b75e0f38841b4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads