wshrat | 8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

General

Target

8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js
Size

903KB
MD5

e8b8ceb50d77284cb8124fb02e9f1268
SHA1

72ed9a12200a422140a33c504c0db91ea43a3623
SHA256

8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7
SHA512

0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358
SSDEEP

6144:HQSQDBxonj7aB6Y+XMjIM8yDwGEmxu06wwKhgsaaSLZR2NRPIr3++OHoZ5aCtTKq:wSi2

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://37.48.102.22:1820

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 32 IoCs

flow	pid	Process
5	2760	wscript.exe
6	2760	wscript.exe
7	2760	wscript.exe
8	2760	wscript.exe
9	2760	wscript.exe
11	2760	wscript.exe
12	2760	wscript.exe
14	2760	wscript.exe
16	2760	wscript.exe
18	2760	wscript.exe
19	2760	wscript.exe
20	2760	wscript.exe
21	2760	wscript.exe
22	2760	wscript.exe
23	2760	wscript.exe
24	2760	wscript.exe
31	2760	wscript.exe
32	2760	wscript.exe
33	2760	wscript.exe
34	2760	wscript.exe
35	2760	wscript.exe
36	2760	wscript.exe
37	2760	wscript.exe
38	2760	wscript.exe
40	2760	wscript.exe
41	2760	wscript.exe
42	2760	wscript.exe
44	2760	wscript.exe
45	2760	wscript.exe
46	2760	wscript.exe
48	2760	wscript.exe
49	2760	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
2076	regedit.exe
2496	regedit.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	35	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	37	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	38	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	22	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	23	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	24	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	42	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	9	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	19	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	20	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	21	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	33	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	41	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	6	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	7	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	44	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	45	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	46	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	48	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	34	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	36	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	40	WSHRAT\|B8BB80FD\|XPAJOTIY\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 4/10/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2076	2196	wscript.exe	30
PID 2196 wrote to memory of 2076	2196	wscript.exe	30
PID 2196 wrote to memory of 2076	2196	wscript.exe	30
PID 2196 wrote to memory of 2760	2196	wscript.exe	32
PID 2196 wrote to memory of 2760	2196	wscript.exe	32
PID 2196 wrote to memory of 2760	2196	wscript.exe	32
PID 2760 wrote to memory of 2496	2760	wscript.exe	33
PID 2760 wrote to memory of 2496	2760	wscript.exe	33
PID 2760 wrote to memory of 2496	2760	wscript.exe	33

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
  2⤵
  - Runs .reg file with regedit
  PID:2076
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

Filesize
143B

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js

Filesize
903KB

MD5
e8b8ceb50d77284cb8124fb02e9f1268

SHA1
72ed9a12200a422140a33c504c0db91ea43a3623

SHA256
8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

SHA512
0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358

Download Submit
memory/2076-2-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2076-4-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads