Extracted

• • Target

    113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118

  • Size

    74KB

  • MD5

    113a1b4222b39b21e5f61e5b8b5b7f5d

  • SHA1

    4f9a37c5f1d708b59b4dae196c89629f7a5496df

  • SHA256

    8fa3ffb85ab6ba074db02c05da5ee6462813fbd750bfc1e9bb2bd4cada56fc6b

  • SHA512

    bc34b7fd054bd013c2b90c15c73e27df7bffa155d55cc75ba1b388473ade2460fc327d498133490d8bb1cad97a8de000e1323163973738b177df975064c4fbf7

  • SSDEEP

    1536:dScQPMz4GlHNvQYviFSD17fdN85bxYYhVfGAGnNUHORWR:ccQPM8GdNv6ERYLN7SNEKWR

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2