Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
17-06-2024 11:16
General
-
Target
jun17.vbs
-
Size
832KB
-
MD5
9eb84b410320b27a000a848a1c22b91c
-
SHA1
7b84f1301c73993648f0bdf254f1fc202a12aab8
-
SHA256
f44a15168c937d547a57015ccdf034d5f958fa9e9a159e09730b09acb17124dc
-
SHA512
9ab878e70322df08ebe934e18b30d7b151f49a27ca99fafefa77fdd81ef3ed05700671d0e0dc22842355995fd2c5dc39442d60a9559635eda11ca17194d2d203
-
SSDEEP
1536:gAvBzLBDsQjzNGDKJJJcSKqBtW4apIzPmdhpd:lzLBDsQjzNGDKJJJcSKqBscPmdhpd
Malware Config
Extracted
wshrat
http://jinvestments.duckdns.org:7044
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 26 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jun17.vbs"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jun17.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM kl-plugin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\kl-plugin.exe"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" jinvestments.duckdns.org 7044 "WSHRAT|F4C153DD|TICCAUTD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 6/17/2024|Visual Basic-v2.0|GB:United Kingdom" 13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297B
MD5be2ba1a8c142b5fa2178396ac67cb7d8
SHA1b7c3d209d9c95d4b67d7ffb3c777d07f398260a5
SHA2561191fa5928ed7ebf51830c0e601a327fb6480e4f35d9f96962c828b5b45ea260
SHA512cca824422ebcc194e96c6af6c66160409b6c4f9e30af387921ad55712fc4316866e7ac3b2806427f7e06e43e99ef56e612738261f8d38fb58ef2758dc13c9204
-
Filesize
832KB
MD59eb84b410320b27a000a848a1c22b91c
SHA17b84f1301c73993648f0bdf254f1fc202a12aab8
SHA256f44a15168c937d547a57015ccdf034d5f958fa9e9a159e09730b09acb17124dc
SHA5129ab878e70322df08ebe934e18b30d7b151f49a27ca99fafefa77fdd81ef3ed05700671d0e0dc22842355995fd2c5dc39442d60a9559635eda11ca17194d2d203
-
Filesize
25KB
MD57099a939fa30d939ccceb2f0597b19ed
SHA137b644ef5722709cd9024a372db4590916381976
SHA256272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA5126e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721