Overview

overview

10

Static

static

1

ORDER-2405...9FT.js

windows7-x64

10

ORDER-2405...9FT.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-240507-2789FT.js

  • Size

    8KB

  • MD5

    2a60755d218ae24e20471575bfd88b60

  • SHA1

    3096b50ad0794588b64c5e38880f5d1bf17fe699

  • SHA256

    427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b

  • SHA512

    a72dba3c3110dfdbec8556cf40043c63b36578765de51af9e446f75346d36f65643e66ddc0d3728a1b6b83ba4dbbe118e2f0bef0c9a28644f66b75c420c66506

  • SSDEEP

    192:GcEBLu9pDcEBocEBgBcKbWJMeMjrGPFYiaWcEBalN6u9pDcEBwX5J+PT6cEBhAPx:G4

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 27 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 24 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-240507-2789FT.js
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MBBOBL.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MBBOBL.js
    Filesize

    305KB

    MD5

    17003461cc225d40bc046546539cd184

    SHA1

    7b6c8a9f3a803a66a104619f1339799c081a2951

    SHA256

    ed52ee9a440d03ef13610415bac7d9ff52d88d9f846fa4462bde762bbae0752f

    SHA512

    d13edb5aeec37d1e8d1d120e0c2e5e07f252fb5a9ba846dc13c08abda9589cd59982849cac195b66347766c1f2364c8b9729228c70aac28a63af6d2516907da7

    Download Submit