wshrat | 2db5dfc57b5ecd0cf2825e985507ea40dc3419b51f86794c5bd95dd8f92b3276

General

Target

07052024_1016_Invoice879340_Payment_09784359302_PDF.js
Size

616KB
MD5

46c7528b89b7228e05f84b73f73dddbd
SHA1

eefac6832616c9d74432923113d6e531bc5089c6
SHA256

2db5dfc57b5ecd0cf2825e985507ea40dc3419b51f86794c5bd95dd8f92b3276
SHA512

b5fff9d4732873940fb31a2606388e17e614abae29970bce01d20ffcdbcdef8404aead2fcaef452db6621dbcac3bc813928fab8bdb56788986a4db0a56989dea
SSDEEP

12288:fYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMa:fYeIrWr/qRigAyX/kngXFbjTLvaH28np

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
6	3708	wscript.exe
9	3708	wscript.exe
11	3708	wscript.exe
13	3708	wscript.exe
14	3708	wscript.exe
21	3708	wscript.exe
24	3708	wscript.exe
31	3708	wscript.exe
38	3708	wscript.exe
43	3708	wscript.exe
60	3708	wscript.exe
67	3708	wscript.exe
68	3708	wscript.exe
69	3708	wscript.exe
70	3708	wscript.exe
74	3708	wscript.exe
76	3708	wscript.exe
77	3708	wscript.exe
81	3708	wscript.exe
82	3708	wscript.exe
83	3708	wscript.exe
84	3708	wscript.exe
86	3708	wscript.exe
87	3708	wscript.exe
88	3708	wscript.exe
89	3708	wscript.exe
93	3708	wscript.exe
95	3708	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07052024_1016_Invoice879340_Payment_09784359302_PDF.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07052024_1016_Invoice879340_Payment_09784359302_PDF.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07052024_1016_Invoice879340_Payment_09784359302_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07052024_1016_Invoice879340_Payment_09784359302_PDF.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07052024_1016_Invoice879340_Payment_09784359302_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07052024_1016_Invoice879340_Payment_09784359302_PDF.js\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
12	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	87	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	95	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	77	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	82	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	83	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	84	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	74	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	81	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	86	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	88	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	68	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	76	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	89	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	24	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	38	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	43	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	70	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	93	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	67	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 7/5/2024\|JavaScript-v3.4\|GB:United Kingdom

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\07052024_1016_Invoice879340_Payment_09784359302_PDF.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07052024_1016_Invoice879340_Payment_09784359302_PDF.js

Filesize
616KB

MD5
46c7528b89b7228e05f84b73f73dddbd

SHA1
eefac6832616c9d74432923113d6e531bc5089c6

SHA256
2db5dfc57b5ecd0cf2825e985507ea40dc3419b51f86794c5bd95dd8f92b3276

SHA512
b5fff9d4732873940fb31a2606388e17e614abae29970bce01d20ffcdbcdef8404aead2fcaef452db6621dbcac3bc813928fab8bdb56788986a4db0a56989dea

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads