wshrat | aed8a6b3191c2097fcbadb520f5d0f7e30b578c23f9abc0ab52b63bbb7abc141

General

Target

Proof Of Payment.js
Size

984KB
MD5

d184c9512e27f412a98e4ad8b2225136
SHA1

06699f9d15e3add90f8b50ac3db0e45b9bbcd671
SHA256

aed8a6b3191c2097fcbadb520f5d0f7e30b578c23f9abc0ab52b63bbb7abc141
SHA512

f17ec0e449fc5d94e5aa635d8e30e06d78d5915f2cbb819ff77e46dcb6bd836a13a286f035e44ae885a764838f0136fec2ad4cfcd1ee1c89dd14f3d082265837
SSDEEP

6144:HQ5h2HwarBPcXUTjpdpiTv0H0nBX7uBKZMiVTuw4JuFuOP88S7d45/qEhTXHINRV:wHFO3cMSK

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://37.48.102.22:1820

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
5	2736	wscript.exe
6	2736	wscript.exe
7	2736	wscript.exe
8	2736	wscript.exe
9	2736	wscript.exe
11	2736	wscript.exe
12	2736	wscript.exe
14	2736	wscript.exe
16	2736	wscript.exe
18	2736	wscript.exe
19	2736	wscript.exe
20	2736	wscript.exe
21	2736	wscript.exe
22	2736	wscript.exe
23	2736	wscript.exe
30	2736	wscript.exe
31	2736	wscript.exe
32	2736	wscript.exe
33	2736	wscript.exe
34	2736	wscript.exe
35	2736	wscript.exe
36	2736	wscript.exe
37	2736	wscript.exe
38	2736	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proof Of Payment.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proof Of Payment.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proof Of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof Of Payment.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Proof Of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof Of Payment.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proof Of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof Of Payment.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Proof Of Payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Proof Of Payment.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
3056	regedit.exe
2408	regedit.exe

Script User-Agent 18 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	20	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	21	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	33	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	38	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	23	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	30	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	35	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	37	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	9	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	19	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	36	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	6	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	22	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	34	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 21/9/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3056	3036	wscript.exe	30
PID 3036 wrote to memory of 3056	3036	wscript.exe	30
PID 3036 wrote to memory of 3056	3036	wscript.exe	30
PID 3036 wrote to memory of 2736	3036	wscript.exe	32
PID 3036 wrote to memory of 2736	3036	wscript.exe	32
PID 3036 wrote to memory of 2736	3036	wscript.exe	32
PID 2736 wrote to memory of 2408	2736	wscript.exe	33
PID 2736 wrote to memory of 2408	2736	wscript.exe	33
PID 2736 wrote to memory of 2408	2736	wscript.exe	33

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.js"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
  2⤵
  - Runs .reg file with regedit
  PID:3056
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Proof Of Payment.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

Filesize
143B

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\Proof Of Payment.js

Filesize
984KB

MD5
d184c9512e27f412a98e4ad8b2225136

SHA1
06699f9d15e3add90f8b50ac3db0e45b9bbcd671

SHA256
aed8a6b3191c2097fcbadb520f5d0f7e30b578c23f9abc0ab52b63bbb7abc141

SHA512
f17ec0e449fc5d94e5aa635d8e30e06d78d5915f2cbb819ff77e46dcb6bd836a13a286f035e44ae885a764838f0136fec2ad4cfcd1ee1c89dd14f3d082265837

Download Submit
memory/3056-2-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/3056-4-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads