Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Voicemail Jud.html

Overview

General Information

Sample name:Voicemail Jud.html
Analysis ID:1439837
MD5:3d9479b1e6201aa32a6b812f02482b38
SHA1:5c595ea2e25dd799e11a31e7df0d5744de21ff58
SHA256:427fb9938ca75db1a362fe51356a1dc06350daa5f9db788a4ca2f7e2cb21fd34
Infos:

Detection

WSHRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected WSHRAT
Blob-based file download detected
Connects to a pastebin service (likely for C&C)
Contains VNC / remote desktop functionality (version string found)
Downloads suspicious files via Chrome
Drops script or batch files to the startup folder
Found suspicious ZIP file
HTML document with suspicious name
HTML document with suspicious title
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query the security center for anti-virus and firewall products
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • chrome.exe (PID: 4948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Voicemail Jud.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 4628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2292,i,17443918596644864279,4892845659542734896,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • unarchiver.exe (PID: 6944 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 2936 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2otik2vy.ast" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6952 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wscript.exe (PID: 7076 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" MD5: FF00E0480075B095948000BDC66E81F0)
          • wscript.exe (PID: 1544 cmdline: "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: FF00E0480075B095948000BDC66E81F0)
  • wscript.exe (PID: 7100 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6008 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6964 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6936 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Houdini, WSHRATHoudini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.houdini
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_WSHRATYara detected WSHRATJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.jsJoeSecurity_WSHRATYara detected WSHRATJoe Security
      C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.jsINDICATOR_SUSPICIOUS_JS_WMI_ExecQueryDetects JS potentially executing WMI queriesditekSHen
      • 0x96654:$ex: .ExecQuery(
      • 0x96e8f:$ex: .ExecQuery(
      • 0x96fc7:$ex: .ExecQuery(
      • 0x97120:$ex: .ExecQuery(
      • 0x999d0:$ex: .ExecQuery(
      • 0x95eff:$s1: GetObject(
      • 0x96633:$s1: GetObject(
      • 0x96e6e:$s1: GetObject(
      • 0x96fa8:$s1: GetObject(
      • 0x970fb:$s1: GetObject(
      • 0x999b1:$s1: GetObject(
      • 0x97c58:$s2: String.fromCharCode(
      • 0x9972b:$s2: String.fromCharCode(
      • 0x99752:$s2: String.fromCharCode(
      • 0x9a03f:$s2: String.fromCharCode(
      • 0x9a078:$s2: String.fromCharCode(
      • 0x92fed:$s3: ActiveXObject(
      • 0x934f9:$s3: ActiveXObject(
      • 0x94d8f:$s4: .sleep(
      • 0x95455:$s4: .sleep(
      • 0x96883:$s4: .sleep(
      C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.jsJoeSecurity_WSHRATYara detected WSHRATJoe Security
        C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.jsINDICATOR_SUSPICIOUS_JS_WMI_ExecQueryDetects JS potentially executing WMI queriesditekSHen
        • 0x96654:$ex: .ExecQuery(
        • 0x96e8f:$ex: .ExecQuery(
        • 0x96fc7:$ex: .ExecQuery(
        • 0x97120:$ex: .ExecQuery(
        • 0x999d0:$ex: .ExecQuery(
        • 0x95eff:$s1: GetObject(
        • 0x96633:$s1: GetObject(
        • 0x96e6e:$s1: GetObject(
        • 0x96fa8:$s1: GetObject(
        • 0x970fb:$s1: GetObject(
        • 0x999b1:$s1: GetObject(
        • 0x97c58:$s2: String.fromCharCode(
        • 0x9972b:$s2: String.fromCharCode(
        • 0x99752:$s2: String.fromCharCode(
        • 0x9a03f:$s2: String.fromCharCode(
        • 0x9a078:$s2: String.fromCharCode(
        • 0x92fed:$s3: ActiveXObject(
        • 0x934f9:$s3: ActiveXObject(
        • 0x94d8f:$s4: .sleep(
        • 0x95455:$s4: .sleep(
        • 0x96883:$s4: .sleep(
        C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.jsJoeSecurity_WSHRATYara detected WSHRATJoe Security
          Click to see the 1 entries
          SourceRuleDescriptionAuthorStrings
          0000000B.00000003.2053554395.0000000003517000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
            0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
              0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
                0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
                  0000000B.00000003.2092992601.00000000052A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security