wshrat | 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6

General

Target

JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe
Size

1.6MB
MD5

4fb831a65cce2392df4c5f792dad31e2
SHA1

887b24b866d5ad917273a3e8391ba785a5ba90a5
SHA256

2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
SHA512

c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5
SSDEEP

24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZB

Score

10^/10

wshrat discovery persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c93-75.dat	family_wshrat

Wshrat family
wshrat

Blocklisted process makes network request 14 IoCs

flow	pid	Process
13	1076	wscript.exe
16	1076	wscript.exe
20	2724	wscript.exe
21	2724	wscript.exe
30	1076	wscript.exe
33	2724	wscript.exe
45	1076	wscript.exe
46	2724	wscript.exe
50	1076	wscript.exe
51	2724	wscript.exe
58	1076	wscript.exe
59	2724	wscript.exe
60	1076	wscript.exe
61	2724	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WHS2.0.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4688	WHS2.0.exe
4860	wcnaumia.pif

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 1668	4860	wcnaumia.pif	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WHS2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcnaumia.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1668	RegSvcs.exe
1668	RegSvcs.exe
1668	RegSvcs.exe
1668	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4688	3228	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe	84
PID 3228 wrote to memory of 4688	3228	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe	84
PID 3228 wrote to memory of 4688	3228	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe	84
PID 3228 wrote to memory of 4860	3228	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe	86
PID 3228 wrote to memory of 4860	3228	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe	86
PID 3228 wrote to memory of 4860	3228	JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe	86
PID 4688 wrote to memory of 1076	4688	WHS2.0.exe	87
PID 4688 wrote to memory of 1076	4688	WHS2.0.exe	87
PID 4688 wrote to memory of 1076	4688	WHS2.0.exe	87
PID 4860 wrote to memory of 1668	4860	wcnaumia.pif	89
PID 4860 wrote to memory of 1668	4860	wcnaumia.pif	89
PID 4860 wrote to memory of 1668	4860	wcnaumia.pif	89
PID 4860 wrote to memory of 1668	4860	wcnaumia.pif	89
PID 4860 wrote to memory of 1668	4860	wcnaumia.pif	89
PID 1668 wrote to memory of 2724	1668	RegSvcs.exe	90
PID 1668 wrote to memory of 2724	1668	RegSvcs.exe	90
PID 1668 wrote to memory of 2724	1668	RegSvcs.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228
- C:\74800197\WHS2.0.exe
  "C:\74800197\WHS2.0.exe" Community portal â€“ Bulletin board,
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1076
- C:\74800197\wcnaumia.pif
  "C:\74800197\wcnaumia.pif" fhmoqoe.prw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\74800197\WHS2.0.exe

Filesize
527KB

MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
C:\74800197\envmhh.cos

Filesize
1.0MB

MD5
80eee5b692798640be0b6d0ca2f8768c

SHA1
c39d4b5b048194ef1acdecc8b7cab27e63bc0402

SHA256
9b6c1dad4b42a308e4fade72da97589161c7cc37c5d926353f216e1903ec9780

SHA512
c587cc27b96fa66a1188947b85f9f27ea61e502e21456411536f48e533377e80301a4fe82eba451d82c1d12b9c5368336d166542d44f12b990a73d10382612d8

Download Submit
C:\74800197\vijppg.txt

Filesize
47KB

MD5
808bdb5b8f93f34c6d64bb48283776ec

SHA1
e3f096b0ea493885ba3e1058594c2d48d4ea89c9

SHA256
799a62dc96ba037ccec9ca7a417a4c5428454a3f52c7b4444f728d79b5f06fd7

SHA512
97582524e55fbb90185dd4e5c8eb6ea5e1a57aa5354278878786881593ef2bd85f3fba8ef6a94d89b8f9dc14c07ee85553e58fa00dd64adfe73d954f3a4af0ff

Download Submit
C:\74800197\wcnaumia.pif

Filesize
758KB

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\json[1].json

Filesize
291B

MD5
c085beeb6f771b90fed94c1d940f97f6

SHA1
44a994d9175d6abaa9a3b5718e242fa659aed66a

SHA256
ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

SHA512
9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

Download Submit
C:\Users\Admin\AppData\Roaming\EkoHX.vbs

Filesize
180KB

MD5
952b1cbd78885f81760a77dc3b453fd3

SHA1
4af75b46620b063fc23652c3ecaa3b4081074572

SHA256
fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

SHA512
1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

Download Submit
memory/1668-84-0x0000000000410000-0x0000000000A33000-memory.dmp

Filesize
6.1MB

Download
memory/1668-85-0x0000000000410000-0x000000000049A000-memory.dmp

Filesize
552KB

Download
memory/4688-64-0x0000000072782000-0x0000000072783000-memory.dmp

Filesize
4KB

Download
memory/4688-65-0x0000000072780000-0x0000000072D31000-memory.dmp

Filesize
5.7MB

Download
memory/4688-66-0x0000000072780000-0x0000000072D31000-memory.dmp

Filesize
5.7MB

Download
memory/4688-74-0x0000000072780000-0x0000000072D31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads