wshrat | fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05

General

Target

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js
Size

7KB
MD5

8a006c1466998c2bde5fa110296bf4da
SHA1

38f5819efe2bfece434ff9de7ce327ad1dab920a
SHA256

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05
SHA512

f90be849f383d9919c8463b4041d1e89a4de5e47cf9ef1dcb21f8af0d326857ce45e75c7100aed1c217b885a077001cfa50bb7489144f5f010e84b20c3d19ece
SSDEEP

96:p8KvZU3TRRkyPWXsy7jZRZcmq74qe0tJLgy0c15Q:rsTRAL/ure0tFgc8

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 29 IoCs

Processes:

wscript.exeWScript.exe

flow	pid	process
4	3416	wscript.exe
7	3416	wscript.exe
9	3416	wscript.exe
22	4312	WScript.exe
36	4312	WScript.exe
43	4312	WScript.exe
44	4312	WScript.exe
45	4312	WScript.exe
56	4312	WScript.exe
57	4312	WScript.exe
58	4312	WScript.exe
59	4312	WScript.exe
60	4312	WScript.exe
63	4312	WScript.exe
67	4312	WScript.exe
71	4312	WScript.exe
72	4312	WScript.exe
73	4312	WScript.exe
74	4312	WScript.exe
78	4312	WScript.exe
88	4312	WScript.exe
89	4312	WScript.exe
90	4312	WScript.exe
91	4312	WScript.exe
92	4312	WScript.exe
93	4312	WScript.exe
94	4312	WScript.exe
95	4312	WScript.exe
96	4312	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HTJAHZ.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HTJAHZ.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTJAHZ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HTJAHZ.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTJAHZ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HTJAHZ.js\""	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	wscript.exe

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	36	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	56	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	57	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	60	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	63	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	89	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	71	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	88	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	95	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	78	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	73	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	90	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	91	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	92	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	22	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	67	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	94	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	43	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	44	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	58	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	59	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	74	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	93	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	45	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	72	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript
HTTP User-Agent header	96	WSHRAT\|404EE879\|SNFVGQLU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/5/2024\|JavaScript

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3416 wrote to memory of 4312	3416	wscript.exe	WScript.exe
PID 3416 wrote to memory of 4312	3416	wscript.exe	WScript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HTJAHZ.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HTJAHZ.js

Filesize
305KB

MD5
e46b574e60419cc1211889c5334d9ad1

SHA1
7a8dc97591e63ad2c8d95e4ff10db8a154921114

SHA256
19d3f805b1b14e5b30cb12595d980479490079e7b8b44e392d3dc89373aa6cd3

SHA512
a547c6f5cffcd2fb1cb05617cb642e2125ab7cd1fb11cfed72aa3cb4ce151b1bf73b9ef73905e6d9b1654a5d24e5f9cb76504e388489c8c663fb62b9494b6c39

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads