wshrat | 6aa963d6f4458c282617c2d9d887dd056f84407a592971f5453728f3e73cdce1

General

Target

20191207_PO_HCMCJR_URGENT.js
Size

116KB
MD5

8ab0aa6617da302cfdf3cfd5f69befb2
SHA1

a6598fe37552a5b66d672d12dd3fdbf4d79597dc
SHA256

31c763ec4f5801e2127d655f0e84bba0f020ba2af54ee6f48964b096d53d478c
SHA512

220e52d8f8c8f22fc50614f9cd31c20b19e6201cc065c3653302caadbca64f346caa7dece2d69e46624ac92ea3815882b6f3fa6fe2dea9a3af9f293e9bcd3739
SSDEEP

1536:nwZ/j/5W3lrlGPU1Z9inn6aM9F4LZ7f2vBPgTLJZV+NM1PojBCveiN44QZGxMKQY:nSj/IVEUkxLpfXr1PokG5ZR70CLW

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://unknownsoft.duckdns.org:7744

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
10	4260	wscript.exe
23	4260	wscript.exe
24	4260	wscript.exe
37	4260	wscript.exe
45	4260	wscript.exe
55	4260	wscript.exe
56	4260	wscript.exe
65	4260	wscript.exe
66	4260	wscript.exe
67	4260	wscript.exe
68	4260	wscript.exe
72	4260	wscript.exe
73	4260	wscript.exe
74	4260	wscript.exe
78	4260	wscript.exe
82	4260	wscript.exe
83	4260	wscript.exe
84	4260	wscript.exe
85	4260	wscript.exe
87	4260	wscript.exe
88	4260	wscript.exe
89	4260	wscript.exe
90	4260	wscript.exe
91	4260	wscript.exe
96	4260	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20191207_PO_HCMCJR_URGENT.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20191207_PO_HCMCJR_URGENT.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BCXsIHlrYC.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BCXsIHlrYC.js	wscript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCXsIHlrYC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\BCXsIHlrYC.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCXsIHlrYC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\BCXsIHlrYC.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20191207_PO_HCMCJR_URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\20191207_PO_HCMCJR_URGENT.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	83	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	85	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	87	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	89	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	96	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	90	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	10	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	23	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	67	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	88	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	24	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	68	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	73	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	55	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	56	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	65	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	74	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	91	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	37	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	66	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	78	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	82	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	84	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	45	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6
HTTP User-Agent header	72	WSHRAT\|A4B55DEC\|OAILVCNY\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/6/2024\|JavaScript-v1.6

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4260	4820	wscript.exe	92
PID 4820 wrote to memory of 4260	4820	wscript.exe	92
PID 4820 wrote to memory of 2252	4820	wscript.exe	93
PID 4820 wrote to memory of 2252	4820	wscript.exe	93
PID 2252 wrote to memory of 2320	2252	wscript.exe	95
PID 2252 wrote to memory of 2320	2252	wscript.exe	95

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20191207_PO_HCMCJR_URGENT.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BCXsIHlrYC.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4260
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\20191207_PO_HCMCJR_URGENT.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BCXsIHlrYC.js"
    3⤵
    PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\wscript.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Roaming\20191207_PO_HCMCJR_URGENT.js

Filesize
116KB

MD5
8ab0aa6617da302cfdf3cfd5f69befb2

SHA1
a6598fe37552a5b66d672d12dd3fdbf4d79597dc

SHA256
31c763ec4f5801e2127d655f0e84bba0f020ba2af54ee6f48964b096d53d478c

SHA512
220e52d8f8c8f22fc50614f9cd31c20b19e6201cc065c3653302caadbca64f346caa7dece2d69e46624ac92ea3815882b6f3fa6fe2dea9a3af9f293e9bcd3739

Download Submit
C:\Users\Admin\AppData\Roaming\BCXsIHlrYC.js

Filesize
43KB

MD5
124e4e08756adab1e64e1353e43b0072

SHA1
8949db2eaa1972e552782380f2d961945dab156c

SHA256
af6ce76d696bbb473434f7cbb3f8870ca24020e264cd32cbbaa8fdd95edec8c1

SHA512
9577802302c603a9d975f5a199e900e41fff67a3acc0e71b0e2675e6bfe26ea2f805988017ec80db7dbeab12d80cbcd1491bda2099b644855ffb1a4bc1fad732

Download Submit
memory/4260-9-0x00007FFCE8910000-0x00007FFCE92B1000-memory.dmp

Filesize
9.6MB

Download
memory/4260-14-0x00007FFCE8910000-0x00007FFCE92B1000-memory.dmp

Filesize
9.6MB

Download
memory/4260-25-0x00007FFCE8910000-0x00007FFCE92B1000-memory.dmp

Filesize
9.6MB

Download
memory/4820-0-0x00007FFCE8BC5000-0x00007FFCE8BC6000-memory.dmp

Filesize
4KB

Download
memory/4820-1-0x00007FFCE8910000-0x00007FFCE92B1000-memory.dmp

Filesize
9.6MB

Download
memory/4820-2-0x00007FFCE8910000-0x00007FFCE92B1000-memory.dmp

Filesize
9.6MB

Download
memory/4820-10-0x00007FFCE8910000-0x00007FFCE92B1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads