strrat | 3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85

General

Target

3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85.js
Size

7KB
MD5

f9909c7c05d71c1d6b64286308f98acc
SHA1

285b28cb198161825f9860c9d92d394b4e5432bd
SHA256

3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85
SHA512

57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93
SSDEEP

192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb

Score

10^/10

strrat wshrat execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

jinvestments.duckdns.org:44662

Attributes

license_id
khonsari
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 27 IoCs

flow	pid	Process
4	2128	wscript.exe
7	2776	wscript.exe
8	2776	wscript.exe
9	2776	wscript.exe
11	2776	wscript.exe
12	2776	wscript.exe
13	2776	wscript.exe
15	2776	wscript.exe
16	2776	wscript.exe
17	2776	wscript.exe
19	2776	wscript.exe
20	2776	wscript.exe
21	2776	wscript.exe
23	2776	wscript.exe
24	2776	wscript.exe
25	2776	wscript.exe
27	2776	wscript.exe
28	2776	wscript.exe
29	2776	wscript.exe
31	2776	wscript.exe
32	2776	wscript.exe
33	2776	wscript.exe
35	2776	wscript.exe
36	2776	wscript.exe
37	2776	wscript.exe
39	2776	wscript.exe
40	2776	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 26 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	35	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	37	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	7	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	15	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	23	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	27	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	28	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	9	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	16	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	20	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	25	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	24	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	29	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	33	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	36	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	8	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	11	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	17	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	19	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	39	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	40	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	32	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	12	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	13	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	21	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript
HTTP User-Agent header	31	WSHRAT\|7CBFD7FF\|CCJBVTGQ\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/12/2024\|JavaScript

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2468	2128	wscript.exe	32
PID 2128 wrote to memory of 2468	2128	wscript.exe	32
PID 2128 wrote to memory of 2468	2128	wscript.exe	32
PID 2468 wrote to memory of 2760	2468	WScript.exe	33
PID 2468 wrote to memory of 2760	2468	WScript.exe	33
PID 2468 wrote to memory of 2760	2468	WScript.exe	33
PID 2468 wrote to memory of 2876	2468	WScript.exe	34
PID 2468 wrote to memory of 2876	2468	WScript.exe	34
PID 2468 wrote to memory of 2876	2468	WScript.exe	34
PID 2760 wrote to memory of 2776	2760	WScript.exe	35
PID 2760 wrote to memory of 2776	2760	WScript.exe	35
PID 2760 wrote to memory of 2776	2760	WScript.exe	35
PID 2876 wrote to memory of 2624	2876	WScript.exe	36
PID 2876 wrote to memory of 2624	2876	WScript.exe	36
PID 2876 wrote to memory of 2624	2876	WScript.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ELMAMV.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:2776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\BDl.jar"
      4⤵
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BDl.jar

Filesize
265KB

MD5
100bbed27b8141ab3a41c35b110844b3

SHA1
94ff90d69a7e4b07b6ebb9ff96ba5913376c4876

SHA256
05f0093f5b7ff5497c2a4c9bc86abfd001a450aa55d16b66a2707dfcac704886

SHA512
a3977f2df0eeaef7e9cc6314d82edd2dbe2ba9d1a9d42fe824e3b4d3a267bf4a987652a83125c6ea26332cc2b42aa058d712d74bd84d603b0b74136d020a822a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELMAMV.js

Filesize
956KB

MD5
a3509dfa4195829dd6ca7022f6f6e729

SHA1
0953470f0ae7e2853b7ba085b48f38f3c9052024

SHA256
a69c37a37c7e4acebbc4bc9ed276c2c433171ac47dc68d941d687975e2761759

SHA512
e8503bb69a1b523a15c399480c68bc8d4fef0d5acbb99cbea7a3a86cd44368d1bc602e5c2bd8285170fd0ee4b3bc7c1f0066cfa1518eb53efd3dee31a1beb127

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
305KB

MD5
9afd9ece1bd1d495d993df48fe93a8dd

SHA1
22cb23fd8ee7ae5c1c0ca606881594f90f09230a

SHA256
1fdb1c5ad65e00e4520df60b9c3b880059ed77fcbf41787c6dd6a9abc0180a5c

SHA512
1d28b54294c4995983699a6edeeb471ff6b3fdd025a360ee0b76435b6ce2843c1a7cad3d0b2d8e6b421af7a8c5c220e23ca2798bc4560713319153b24b2e2f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
376KB

MD5
77d34374418de906c54392bfb251f384

SHA1
25974846aa5ec0c519d6dd707753c5ac5528eb15

SHA256
763e249aff06d3afde2ad073dd463d1b65ba8f26d227cde3520649ebbda30814

SHA512
1e5a02cb8949bcedfc805d0d5db6fe0bca5e5e15cc10b481a85af444d3404d18e6c51cdfb6032c3caa9c1a55000fdc954d269fe55cef663f3bfa194a66e6e379

Download Submit
memory/2624-31-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads