Overview

overview

10

Static

static

1

Pending_In....JS.js

windows7-x64

10

Pending_In....JS.js

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pending_Invoice_Bank_Details_kofce_.JS.js

  • Size

    616KB

  • MD5

    9c3aaa1354531b2f4c194af6be1dfce7

  • SHA1

    cef62c19f65f6985bb473c7b2469c3512f916933

  • SHA256

    3680c60d58b895a8a423ee6ce62f9bfc23effb87522194c1637d67c148b9778d

  • SHA512

    ebc2c1a3d28d7ceab9447baa6c1341183ba17f74de24b3bee6ddaaa84c81d6b4edd97c0f90d3231c643da28520626741b81423593b7d29b08fba4dc2d48f0d97

  • SSDEEP

    12288:+YeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEM+:+YeIrWr/qRigAyX/kngXFbjTLvaH28n1

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 12 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 9 IoCs

    Uses user-agent string associated with script host/environment.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Pending_Invoice_Bank_Details_kofce_.JS.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pending_Invoice_Bank_Details_kofce_.JS.js
    Filesize

    616KB

    MD5

    9c3aaa1354531b2f4c194af6be1dfce7

    SHA1

    cef62c19f65f6985bb473c7b2469c3512f916933

    SHA256

    3680c60d58b895a8a423ee6ce62f9bfc23effb87522194c1637d67c148b9778d

    SHA512

    ebc2c1a3d28d7ceab9447baa6c1341183ba17f74de24b3bee6ddaaa84c81d6b4edd97c0f90d3231c643da28520626741b81423593b7d29b08fba4dc2d48f0d97

    Download Submit