wshrat | 8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

General

Target

POP.js
Size

903KB
MD5

e8b8ceb50d77284cb8124fb02e9f1268
SHA1

72ed9a12200a422140a33c504c0db91ea43a3623
SHA256

8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7
SHA512

0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358
SSDEEP

6144:HQSQDBxonj7aB6Y+XMjIM8yDwGEmxu06wwKhgsaaSLZR2NRPIr3++OHoZ5aCtTKq:wSi2

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://37.48.102.22:1820

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 23 IoCs

flow	pid	Process
28	2960	wscript.exe
33	2960	wscript.exe
46	2960	wscript.exe
47	2960	wscript.exe
48	2960	wscript.exe
49	2960	wscript.exe
50	2960	wscript.exe
53	2960	wscript.exe
55	2960	wscript.exe
56	2960	wscript.exe
57	2960	wscript.exe
58	2960	wscript.exe
59	2960	wscript.exe
65	2960	wscript.exe
66	2960	wscript.exe
67	2960	wscript.exe
68	2960	wscript.exe
69	2960	wscript.exe
70	2960	wscript.exe
71	2960	wscript.exe
72	2960	wscript.exe
73	2960	wscript.exe
74	2960	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POP.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POP.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wscript.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4836	regedit.exe
2812	regedit.exe

Script User-Agent 22 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	74	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	47	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	49	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	56	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	71	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	59	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	65	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	72	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	68	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	70	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	73	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	33	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	53	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	57	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	58	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	66	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	46	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	48	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	50	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	55	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	67	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4836	5040	wscript.exe	82
PID 5040 wrote to memory of 4836	5040	wscript.exe	82
PID 5040 wrote to memory of 2960	5040	wscript.exe	88
PID 5040 wrote to memory of 2960	5040	wscript.exe	88
PID 2960 wrote to memory of 2812	2960	wscript.exe	89
PID 2960 wrote to memory of 2812	2960	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\POP.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
  2⤵
  - Runs .reg file with regedit
  PID:4836
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\POP.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

Filesize
143B

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\POP.js

Filesize
903KB

MD5
e8b8ceb50d77284cb8124fb02e9f1268

SHA1
72ed9a12200a422140a33c504c0db91ea43a3623

SHA256
8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

SHA512
0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads