strrat | 77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06

General

Target

ORDER #256988PDF.js
Size

955KB
MD5

a8d8c8f8213370e298e4c51777b5ca6f
SHA1

e7154be7f1ece7adb9a1bda5a76023890911f26c
SHA256

77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06
SHA512

8336c930cd80b4e1c890ab5201d5b482bff71b5d4309a1a85b032570b9e39d93389ee07537bff58b58978bf0492c40499505074cb6ce99640ecd2d5d8b3b48e8
SSDEEP

6144:w4j8E7KdksEmXpivANu3xQ2ZFnNsa9eX44HQfYEhrn9KXXUa14VcEvb6EcB7QTkD:5wezANwdJsa9q4tNVngYABHD

Score

10^/10

strrat wshrat execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

chongmei33.myddns.rocks:44662

Attributes

license_id
khonsari
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2864	wscript.exe
6	2864	wscript.exe
7	2864	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	6	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	7	WSHRAT\|44BAD2C8\|JSMURNPT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 14/2/2025\|JavaScript

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2288	2236	wscript.exe	30
PID 2236 wrote to memory of 2288	2236	wscript.exe	30
PID 2236 wrote to memory of 2288	2236	wscript.exe	30
PID 2236 wrote to memory of 2520	2236	wscript.exe	31
PID 2236 wrote to memory of 2520	2236	wscript.exe	31
PID 2236 wrote to memory of 2520	2236	wscript.exe	31
PID 2520 wrote to memory of 2292	2520	WScript.exe	32
PID 2520 wrote to memory of 2292	2520	WScript.exe	32
PID 2520 wrote to memory of 2292	2520	WScript.exe	32
PID 2288 wrote to memory of 2864	2288	WScript.exe	33
PID 2288 wrote to memory of 2864	2288	WScript.exe	33
PID 2288 wrote to memory of 2864	2288	WScript.exe	33

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER #256988PDF.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\pMC.jar"
    3⤵
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
376KB

MD5
13d6055f2addd05e87d753757d563010

SHA1
482f29ce8f8c7ce17134d588d6447c91bfe7a667

SHA256
2efe85d32f3a6e016db40a5ba1624a41c751632950435b22553c64b7ac9166d4

SHA512
757809ed2a1f3f6c023fced28463f92bedaeebb0d081c422259af792e81fef816bfc9c5a7834626df75eec888d77d45163c74d4c432aebd9fd89abd8066e002d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMC.jar

Filesize
265KB

MD5
ddd6ab9a4bd52a330e0bc574618882a8

SHA1
770a1b51549a0133fffd159e4f414a1c6ea8d4c6

SHA256
382ff01d1b78047fd37a43d825f5ef486420681706f388bef284fa76047d55a3

SHA512
d49ad115f6d3c3293a0d87ce2162c261104b938efc1a14ad3a3916eaf753c2694dd07b9455ba651c6c941ac7ae72dc42580054124afdb905b6f08849788018af

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
305KB

MD5
39a82c1919b090a2fd704fb04d063d20

SHA1
e2bd8b378bb1ef4aa3790ef8be39338057048a7c

SHA256
650220be1c8eda3f5194b01fb144b7d21d70bb50fe3de055a755c2f3f4dff420

SHA512
5872271679b2f9267133604d89dac3d96c8487b5daa2e83df5f9906be582abfacea6b956b74092eb2eefc80d8d414b719064d1e118de92f2d1c9485a4f75c835

Download Submit
memory/2292-25-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads