Overview

overview

10

Static

static

1

427b7d14d7...20b.js

windows7-x64

10

427b7d14d7...20b.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b.js

  • Size

    8KB

  • MD5

    2a60755d218ae24e20471575bfd88b60

  • SHA1

    3096b50ad0794588b64c5e38880f5d1bf17fe699

  • SHA256

    427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b

  • SHA512

    a72dba3c3110dfdbec8556cf40043c63b36578765de51af9e446f75346d36f65643e66ddc0d3728a1b6b83ba4dbbe118e2f0bef0c9a28644f66b75c420c66506

  • SSDEEP

    192:GcEBLu9pDcEBocEBgBcKbWJMeMjrGPFYiaWcEBalN6u9pDcEBwX5J+PT6cEBhAPx:G4

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 27 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Script User-Agent 25 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\427b7d14d7b35fce4320a1fdaa5afb6df6698b536322a937b0d838e0281db20b.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MBBOBL.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MBBOBL.js
    Filesize

    305KB

    MD5

    bf62803354132660998a1fe56437bbfe

    SHA1

    231bf1f1a52017d7b3f11400d419c8e4f0691452

    SHA256

    8856b9dd4111bf5af89d69af8ba9efc26cf4e81f7367b876377fb85f872d18e7

    SHA512

    63de4666e8cfd812afaa9c3067cf53a310f284fe32a351ccafa6e7284c7c0e5e5d147adc56c65809941dd26124082cf034784550723a17f0fceaeaf387fbcacd

    Download Submit