Overview

overview

10

Static

static

1

ORDER-2461...-24.js

windows7-x64

10

ORDER-2461...-24.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-24617-01667859-24.js

  • Size

    7KB

  • MD5

    f3e6a7eba2bd6ca312768ac1560bad6f

  • SHA1

    04a683416a38f3c8acf06b64fd5e598a2902f684

  • SHA256

    7a06aaf3103d9dce60c0c4652fd505c7a8df42c826d486be1973008d1c22c838

  • SHA512

    4ea84c8c33a0fa6a235f6b5ec620e172a5ea5f4a9f372307ea9e1946d6393326bec448e32cadacb1c444270c973046a09be3c590fb7ae61fcc76999553e03265

  • SSDEEP

    48:95jUotZH9ZR0/kdlZK8rflZPos9ZPfBjBZfo5CvA7ehZvKoN69ZLi1t16r1SBZ5B:T0/ZYbukAKdrKBXB1XBdi

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://jinvestments.duckdns.org:7044

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 26 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24617-01667859-24.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HTYBQC.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HTYBQC.vbs"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3840
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM kl-plugin.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
        • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
          "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" jinvestments.duckdns.org 7044 "WSHRAT|5C6941C0|PXHSTPPU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 6/17/2024|Visual Basic-v2.0|GB:United Kingdom" 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1084
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,5229431749694857451,16836185654682871752,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
    1⤵
      PID:3380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\json[1].json
      Filesize

      297B

      MD5

      be2ba1a8c142b5fa2178396ac67cb7d8

      SHA1

      b7c3d209d9c95d4b67d7ffb3c777d07f398260a5

      SHA256

      1191fa5928ed7ebf51830c0e601a327fb6480e4f35d9f96962c828b5b45ea260

      SHA512

      cca824422ebcc194e96c6af6c66160409b6c4f9e30af387921ad55712fc4316866e7ac3b2806427f7e06e43e99ef56e612738261f8d38fb58ef2758dc13c9204

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HTYBQC.vbs
      Filesize

      832KB

      MD5

      9eb84b410320b27a000a848a1c22b91c

      SHA1

      7b84f1301c73993648f0bdf254f1fc202a12aab8

      SHA256

      f44a15168c937d547a57015ccdf034d5f958fa9e9a159e09730b09acb17124dc

      SHA512

      9ab878e70322df08ebe934e18b30d7b151f49a27ca99fafefa77fdd81ef3ed05700671d0e0dc22842355995fd2c5dc39442d60a9559635eda11ca17194d2d203

      Download Submit

    • C:\Users\Admin\AppData\Roaming\kl-plugin.exe
      Filesize

      25KB

      MD5

      7099a939fa30d939ccceb2f0597b19ed

      SHA1

      37b644ef5722709cd9024a372db4590916381976

      SHA256

      272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

      SHA512

      6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

      Download Submit