wshrat | 043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5

General

Target

043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js
Size

616KB
MD5

67ae1f3636df193b2b7897bc536fcf76
SHA1

f3a94059adecc0de3615ebe2fb7df65599b3361b
SHA256

043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5
SHA512

2c0e76588a79f88036d51a4e628bf8120ca36a3c788b5066004955e0c2be855aa8b5ee357e9b2332d5957ce3c6da23d63539fa0eb730596e08a3574a180093c1
SSDEEP

12288:MYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMZ:MYeIrWr/qRigAyX/kngXFbjTLvaH28n8

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 16 IoCs

Processes:

wscript.exe

flow	pid	process
4	3912	wscript.exe
7	3912	wscript.exe
9	3912	wscript.exe
11	3912	wscript.exe
23	3912	wscript.exe
26	3912	wscript.exe
32	3912	wscript.exe
34	3912	wscript.exe
50	3912	wscript.exe
57	3912	wscript.exe
58	3912	wscript.exe
59	3912	wscript.exe
60	3912	wscript.exe
73	3912	wscript.exe
75	3912	wscript.exe
76	3912	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 pastebin.com
26 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
15	pastebin.com
26	pastebin.com

flow	ioc
30	ip-api.com

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	34	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	58	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	59	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	60	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	75	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	76	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	50	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	57	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	73	WSHRAT\|28CFF580\|NQPTTMRM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 13/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5.js

Filesize
616KB

MD5
67ae1f3636df193b2b7897bc536fcf76

SHA1
f3a94059adecc0de3615ebe2fb7df65599b3361b

SHA256
043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5

SHA512
2c0e76588a79f88036d51a4e628bf8120ca36a3c788b5066004955e0c2be855aa8b5ee357e9b2332d5957ce3c6da23d63539fa0eb730596e08a3574a180093c1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads