wshrat | 427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b

General

Target

427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b.js
Size

8KB
MD5

2a60755d218ae24e20471575bfd88b60
SHA1

3096b50ad0794588b64c5e38880f5d1bf17fe699
SHA256

427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b
SHA512

a72dba3c3110dfdbec8556cf40043c63b36578765de51af9e446f75346d36f65643e66ddc0d3728a1b6b83ba4dbbe118e2f0bef0c9a28644f66b75c420c66506
SSDEEP

192:GcEBLu9pDcEBocEBgBcKbWJMeMjrGPFYiaWcEBalN6u9pDcEBwX5J+PT6cEBhAPx:G4

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

flow	pid	Process
3	1244	wscript.exe
7	1244	wscript.exe
10	2352	WScript.exe
11	2352	WScript.exe
12	2352	WScript.exe
14	2352	WScript.exe
15	2352	WScript.exe
20	2352	WScript.exe
22	2352	WScript.exe
23	2352	WScript.exe
24	2352	WScript.exe
26	2352	WScript.exe
27	2352	WScript.exe
28	2352	WScript.exe
30	2352	WScript.exe
31	2352	WScript.exe
32	2352	WScript.exe
34	2352	WScript.exe
35	2352	WScript.exe
36	2352	WScript.exe
38	2352	WScript.exe
39	2352	WScript.exe
40	2352	WScript.exe
42	2352	WScript.exe
43	2352	WScript.exe
44	2352	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MBBOBL.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MBBOBL.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBBOBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\MBBOBL.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBBOBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\MBBOBL.js\""	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	28	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	31	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	43	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	15	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	23	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	27	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	14	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	22	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	24	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	34	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	35	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	10	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	11	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	12	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	26	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	42	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	36	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	38	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	39	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	40	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	44	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	20	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	30	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript
HTTP User-Agent header	32	WSHRAT\|4C364BA4\|UOTHCPHQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 9/5/2024\|JavaScript

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2352	1244	wscript.exe	28
PID 1244 wrote to memory of 2352	1244	wscript.exe	28
PID 1244 wrote to memory of 2352	1244	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MBBOBL.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MBBOBL.js

Filesize
305KB

MD5
bf62803354132660998a1fe56437bbfe

SHA1
231bf1f1a52017d7b3f11400d419c8e4f0691452

SHA256
8856b9dd4111bf5af89d69af8ba9efc26cf4e81f7367b876377fb85f872d18e7

SHA512
63de4666e8cfd812afaa9c3067cf53a310f284fe32a351ccafa6e7284c7c0e5e5d147adc56c65809941dd26124082cf034784550723a17f0fceaeaf387fbcacd

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads