wshrat | 8fa3ffb85ab6ba074db02c05da5ee6462813fbd750bfc1e9bb2bd4cada56fc6b

General

Target

113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js
Size

74KB
MD5

113a1b4222b39b21e5f61e5b8b5b7f5d
SHA1

4f9a37c5f1d708b59b4dae196c89629f7a5496df
SHA256

8fa3ffb85ab6ba074db02c05da5ee6462813fbd750bfc1e9bb2bd4cada56fc6b
SHA512

bc34b7fd054bd013c2b90c15c73e27df7bffa155d55cc75ba1b388473ade2460fc327d498133490d8bb1cad97a8de000e1323163973738b177df975064c4fbf7
SSDEEP

1536:dScQPMz4GlHNvQYviFSD17fdN85bxYYhVfGAGnNUHORWR:ccQPM8GdNv6ERYLN7SNEKWR

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://freehost222.ddns.net:1555

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	1208	wscript.exe
6	1208	wscript.exe
8	1208	wscript.exe
9	1208	wscript.exe
10	1208	wscript.exe
11	1208	wscript.exe
12	1208	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	WSHRAT\|98243646\|BISMIZHX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	10	WSHRAT\|98243646\|BISMIZHX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	11	WSHRAT\|98243646\|BISMIZHX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	12	WSHRAT\|98243646\|BISMIZHX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	6	WSHRAT\|98243646\|BISMIZHX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/5/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|98243646\|BISMIZHX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/5/2024\|JavaScript-v2.0\|GB:United Kingdom

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1208	1964	wscript.exe	28
PID 1964 wrote to memory of 1208	1964	wscript.exe	28
PID 1964 wrote to memory of 1208	1964	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js

Filesize
74KB

MD5
113a1b4222b39b21e5f61e5b8b5b7f5d

SHA1
4f9a37c5f1d708b59b4dae196c89629f7a5496df

SHA256
8fa3ffb85ab6ba074db02c05da5ee6462813fbd750bfc1e9bb2bd4cada56fc6b

SHA512
bc34b7fd054bd013c2b90c15c73e27df7bffa155d55cc75ba1b388473ade2460fc327d498133490d8bb1cad97a8de000e1323163973738b177df975064c4fbf7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads