wshrat | 60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

General

Target

60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js
Size

1.1MB
MD5

45ece63fd62550c00c23129d45acc6ae
SHA1

428b9734401dbb1c71cbe84894be3ac54f7f8f0f
SHA256

60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928
SHA512

35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935
SSDEEP

24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 30 IoCs

Processes:

wscript.exe

flow	pid	process
4	112	wscript.exe
6	112	wscript.exe
8	112	wscript.exe
10	112	wscript.exe
11	112	wscript.exe
12	112	wscript.exe
14	112	wscript.exe
15	112	wscript.exe
16	112	wscript.exe
18	112	wscript.exe
19	112	wscript.exe
20	112	wscript.exe
22	112	wscript.exe
23	112	wscript.exe
24	112	wscript.exe
26	112	wscript.exe
27	112	wscript.exe
28	112	wscript.exe
30	112	wscript.exe
31	112	wscript.exe
32	112	wscript.exe
34	112	wscript.exe
35	112	wscript.exe
36	112	wscript.exe
38	112	wscript.exe
39	112	wscript.exe
40	112	wscript.exe
42	112	wscript.exe
43	112	wscript.exe
44	112	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
8 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	pastebin.com
8	pastebin.com

flow	ioc
3	ip-api.com

Script User-Agent 29 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	18	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	43	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	14	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	16	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	22	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	38	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	11	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	20	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	35	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	40	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	19	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	30	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	15	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	10	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	12	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	44	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	39	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	34	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	36	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	23	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	28	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	42	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	26	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	27	WSHRAT\|D0F97DBD\|IZKCKOTP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 3/5/2024\|JavaScript-v3.4\|GB:United Kingdom

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js

Filesize
1.1MB

MD5
45ece63fd62550c00c23129d45acc6ae

SHA1
428b9734401dbb1c71cbe84894be3ac54f7f8f0f

SHA256
60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

SHA512
35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads