wshrat | 6aa963d6f4458c282617c2d9d887dd056f84407a592971f5453728f3e73cdce1

General

Target

20191207_PO_HCMCJR_URGENT.js
Size

116KB
MD5

8ab0aa6617da302cfdf3cfd5f69befb2
SHA1

a6598fe37552a5b66d672d12dd3fdbf4d79597dc
SHA256

31c763ec4f5801e2127d655f0e84bba0f020ba2af54ee6f48964b096d53d478c
SHA512

220e52d8f8c8f22fc50614f9cd31c20b19e6201cc065c3653302caadbca64f346caa7dece2d69e46624ac92ea3815882b6f3fa6fe2dea9a3af9f293e9bcd3739
SSDEEP

1536:nwZ/j/5W3lrlGPU1Z9inn6aM9F4LZ7f2vBPgTLJZV+NM1PojBCveiN44QZGxMKQY:nSj/IVEUkxLpfXr1PokG5ZR70CLW

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://unknownsoft.duckdns.org:7744

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

flow	pid	Process
7	2636	wscript.exe
8	2636	wscript.exe
12	2636	wscript.exe
14	2636	wscript.exe
17	2636	wscript.exe
20	2636	wscript.exe
23	2636	wscript.exe
25	2636	wscript.exe
28	2636	wscript.exe
30	2636	wscript.exe
34	2636	wscript.exe
36	2636	wscript.exe
39	2636	wscript.exe
41	2636	wscript.exe
43	2636	wscript.exe
47	2636	wscript.exe
49	2636	wscript.exe
51	2636	wscript.exe
55	2636	wscript.exe
57	2636	wscript.exe
61	2636	wscript.exe
63	2636	wscript.exe
65	2636	wscript.exe
69	2636	wscript.exe
72	2636	wscript.exe
74	2636	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20191207_PO_HCMCJR_URGENT.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BCXsIHlrYC.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BCXsIHlrYC.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20191207_PO_HCMCJR_URGENT.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCXsIHlrYC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\BCXsIHlrYC.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCXsIHlrYC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\BCXsIHlrYC.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	51	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	23	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	25	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	47	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	65	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	69	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	28	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	30	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	36	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	61	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	74	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	49	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	12	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	17	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	20	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	34	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	7	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	39	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	63	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	43	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	55	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	8	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	14	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	41	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	57	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	72	WSHRAT\|F4850773\|EILATWEW\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2636	2984	wscript.exe	28
PID 2984 wrote to memory of 2636	2984	wscript.exe	28
PID 2984 wrote to memory of 2636	2984	wscript.exe	28
PID 2984 wrote to memory of 2756	2984	wscript.exe	29
PID 2984 wrote to memory of 2756	2984	wscript.exe	29
PID 2984 wrote to memory of 2756	2984	wscript.exe	29
PID 2756 wrote to memory of 2608	2756	wscript.exe	31
PID 2756 wrote to memory of 2608	2756	wscript.exe	31
PID 2756 wrote to memory of 2608	2756	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20191207_PO_HCMCJR_URGENT.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BCXsIHlrYC.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2636
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\20191207_PO_HCMCJR_URGENT.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BCXsIHlrYC.js"
    3⤵
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\20191207_PO_HCMCJR_URGENT.js

Filesize
116KB

MD5
8ab0aa6617da302cfdf3cfd5f69befb2

SHA1
a6598fe37552a5b66d672d12dd3fdbf4d79597dc

SHA256
31c763ec4f5801e2127d655f0e84bba0f020ba2af54ee6f48964b096d53d478c

SHA512
220e52d8f8c8f22fc50614f9cd31c20b19e6201cc065c3653302caadbca64f346caa7dece2d69e46624ac92ea3815882b6f3fa6fe2dea9a3af9f293e9bcd3739

Download Submit
C:\Users\Admin\AppData\Roaming\BCXsIHlrYC.js

Filesize
43KB

MD5
124e4e08756adab1e64e1353e43b0072

SHA1
8949db2eaa1972e552782380f2d961945dab156c

SHA256
af6ce76d696bbb473434f7cbb3f8870ca24020e264cd32cbbaa8fdd95edec8c1

SHA512
9577802302c603a9d975f5a199e900e41fff67a3acc0e71b0e2675e6bfe26ea2f805988017ec80db7dbeab12d80cbcd1491bda2099b644855ffb1a4bc1fad732

Download Submit
memory/2984-0-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

Filesize
4KB

Download
memory/2984-1-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2984-2-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2984-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads