Overview

overview

10

Static

static

1

PO#6100008...Xls.js

windows7-x64

10

PO#6100008...Xls.js

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#6100008 Jan04.02.2024.Xls.js

  • Size

    955KB

  • MD5

    46585cfdb357b9c32e0aed02376dea2c

  • SHA1

    3525ccecb41582261ba6401d34b56cfdb7ec0d1e

  • SHA256

    b7e9e72922bbafab57989a81d72e1dee75ae384bd975cce8a707417cc1df725a

  • SHA512

    52b9a853aec1268ed4304a3712a50a59d12ae4777eb5108920b7e8518ee6800449597d43a29fc73e33e4e3375c8a9fc99e55c7a47b54bed03aea7ef48e238929

  • SSDEEP

    6144:nj8EnXTkIEmXTSPAKujxQ2ZFnQsa45Z44HQ6YGhz00KY6RRs44lEhc6cgPEtcExS:nwmsGKcdssa474tYR0rGlfcEo

Score
10/10
strratwshratexecutionpersistencestealertrojan

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

chongmei33.myddns.rocks:44662
Attributes
  • license_id

    khonsari

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

    trojanstealerstrrat
  • Strrat family
    strrat
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Wshrat family
    wshrat
  • Blocklisted process makes network request 26 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 26 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO#6100008 Jan04.02.2024.Xls.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TZQ.jar"
        3⤵
          PID:3064
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
          3⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:3040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TZQ.jar
      Filesize

      265KB

      MD5

      49b06e70255a9d233ee47e15d9a2e23b

      SHA1

      a4c33ef1c39d7715216c27dc93d417c3eb3ec39e

      SHA256

      db396f9ae63eab45892eed0964926126301abaec49d356765b8cd181572551e5

      SHA512

      1ae0d43afaffb6ea57c493f8ab77b5b5bb2a74203cc5e9c0cb6256443f5f4095eb927d7e2ef276c24c91f7aa370dfd6903bc152a791f7ce69c91061d0c805e84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\adobe.js
      Filesize

      376KB

      MD5

      66557642aadcc9634d9fd1201d730ed7

      SHA1

      c0aeeaa215a04a1f87385dfa1395420969a40fa8

      SHA256

      6db12be58fe93da654afb1f98737e2e1fa05be9c3acce26413792cf30f9e482e

      SHA512

      820f7783339e77d6b2c3f308b0df3e56888216fee2d1aee099fb2e09dcbc4ec6926070976b8b948e56ab351c03052b34562ed406681f5cfe8aad92a8a90e66f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\word.js
      Filesize

      305KB

      MD5

      7baf3694a88ff874e20a3d68a6c060d0

      SHA1

      fd9e22e3d52e0100dc963f776137cb6068e44825

      SHA256

      7693d4d8b365e1e7592dab1df24c67c133d0327a82cfab4f806f894b713b7847

      SHA512

      3ed74145253f5658ee8f253952dd0cbbf7f8f41cfe75a69f36bc954b3eb3a8c1b8bba66459ac3344214ac708aed16abe50be9899dd7b2ee3abc7bf89cc93c2a4

      Download Submit

    • memory/3064-25-0x0000000000110000-0x0000000000111000-memory.dmp

      Filesize

      4KB

      Download