strrat | 77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06

General

Target

ORDER #256988PDF.js
Size

955KB
MD5

a8d8c8f8213370e298e4c51777b5ca6f
SHA1

e7154be7f1ece7adb9a1bda5a76023890911f26c
SHA256

77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06
SHA512

8336c930cd80b4e1c890ab5201d5b482bff71b5d4309a1a85b032570b9e39d93389ee07537bff58b58978bf0492c40499505074cb6ce99640ecd2d5d8b3b48e8
SSDEEP

6144:w4j8E7KdksEmXpivANu3xQ2ZFnNsa9eX44HQfYEhrn9KXXUa14VcEvb6EcB7QTkD:5wezANwdJsa9q4tNVngYABHD

Score

10^/10

strrat wshrat discovery execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

chongmei33.myddns.rocks:44662

Attributes

license_id
khonsari
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2852	wscript.exe
27	2852	wscript.exe
31	2852	wscript.exe
34	2852	wscript.exe
39	2852	wscript.exe
40	2852	wscript.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
63	4832	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4400	MicrosoftEdgeUpdate.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings	wscript.exe

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	WSHRAT\|CC9585C8\|ECYIFUBU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	27	WSHRAT\|CC9585C8\|ECYIFUBU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	31	WSHRAT\|CC9585C8\|ECYIFUBU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	34	WSHRAT\|CC9585C8\|ECYIFUBU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	39	WSHRAT\|CC9585C8\|ECYIFUBU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/2/2025\|JavaScript
HTTP User-Agent header	40	WSHRAT\|CC9585C8\|ECYIFUBU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/2/2025\|JavaScript

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3616	4528	wscript.exe	86
PID 4528 wrote to memory of 3616	4528	wscript.exe	86
PID 4528 wrote to memory of 2600	4528	wscript.exe	87
PID 4528 wrote to memory of 2600	4528	wscript.exe	87
PID 3616 wrote to memory of 2852	3616	WScript.exe	88
PID 3616 wrote to memory of 2852	3616	WScript.exe	88
PID 2600 wrote to memory of 3144	2600	WScript.exe	89
PID 2600 wrote to memory of 3144	2600	WScript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER #256988PDF.js"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2852
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\pMC.jar"
    3⤵
    PID:3144

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkQzOTcxMTAtRjZGNi00MTQ2LUE4OEEtQ0QxQ0UzNUQzN0NGfSIgdXNlcmlkPSJ7RENDRTIxNTUtNkVGRS00OTAxLUJENDUtNkQyNDVFMEE2ODIyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTFFREQwRjItOUU5Ni00MTk2LUJFQzItQTk4Q0VBNkU3QzI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjk0NDgxNDkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
376KB

MD5
13d6055f2addd05e87d753757d563010

SHA1
482f29ce8f8c7ce17134d588d6447c91bfe7a667

SHA256
2efe85d32f3a6e016db40a5ba1624a41c751632950435b22553c64b7ac9166d4

SHA512
757809ed2a1f3f6c023fced28463f92bedaeebb0d081c422259af792e81fef816bfc9c5a7834626df75eec888d77d45163c74d4c432aebd9fd89abd8066e002d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMC.jar

Filesize
265KB

MD5
ddd6ab9a4bd52a330e0bc574618882a8

SHA1
770a1b51549a0133fffd159e4f414a1c6ea8d4c6

SHA256
382ff01d1b78047fd37a43d825f5ef486420681706f388bef284fa76047d55a3

SHA512
d49ad115f6d3c3293a0d87ce2162c261104b938efc1a14ad3a3916eaf753c2694dd07b9455ba651c6c941ac7ae72dc42580054124afdb905b6f08849788018af

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
305KB

MD5
39a82c1919b090a2fd704fb04d063d20

SHA1
e2bd8b378bb1ef4aa3790ef8be39338057048a7c

SHA256
650220be1c8eda3f5194b01fb144b7d21d70bb50fe3de055a755c2f3f4dff420

SHA512
5872271679b2f9267133604d89dac3d96c8487b5daa2e83df5f9906be582abfacea6b956b74092eb2eefc80d8d414b719064d1e118de92f2d1c9485a4f75c835

Download Submit
memory/3144-99-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-100-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-58-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-64-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-62-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-66-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-72-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-27-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-101-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-52-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-103-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-106-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-110-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-112-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-117-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-123-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-135-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download
memory/3144-138-0x00000286C70B0000-0x00000286C70B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads