Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 02:21 UTC

General

  • Target

    113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js

  • Size

    74KB

  • MD5

    113a1b4222b39b21e5f61e5b8b5b7f5d

  • SHA1

    4f9a37c5f1d708b59b4dae196c89629f7a5496df

  • SHA256

    8fa3ffb85ab6ba074db02c05da5ee6462813fbd750bfc1e9bb2bd4cada56fc6b

  • SHA512

    bc34b7fd054bd013c2b90c15c73e27df7bffa155d55cc75ba1b388473ade2460fc327d498133490d8bb1cad97a8de000e1323163973738b177df975064c4fbf7

  • SSDEEP

    1536:dScQPMz4GlHNvQYviFSD17fdN85bxYYhVfGAGnNUHORWR:ccQPM8GdNv6ERYLN7SNEKWR

Malware Config

Extracted

Family

wshrat

C2

http://freehost222.ddns.net:1555

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1208

Network

  • flag-us
    DNS
    ip-api.com
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    wscript.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 May 2024 02:21:05 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 297
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    freehost222.ddns.net
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    freehost222.ddns.net
    IN A
    Response
    freehost222.ddns.net
    IN A
    184.105.237.199
  • flag-us
    POST
    http://freehost222.ddns.net:1555/is-ready
    wscript.exe
    Remote address:
    184.105.237.199:1555
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|98243646|BISMIZHX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/5/2024|JavaScript-v2.0|GB:United Kingdom
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: freehost222.ddns.net:1555
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    POST
    http://freehost222.ddns.net:1555/is-ready
    wscript.exe
    Remote address:
    184.105.237.199:1555
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|98243646|BISMIZHX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/5/2024|JavaScript-v2.0|GB:United Kingdom
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: freehost222.ddns.net:1555
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    POST
    http://freehost222.ddns.net:1555/is-ready
    wscript.exe
    Remote address:
    184.105.237.199:1555
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|98243646|BISMIZHX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/5/2024|JavaScript-v2.0|GB:United Kingdom
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: freehost222.ddns.net:1555
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    POST
    http://freehost222.ddns.net:1555/is-ready
    wscript.exe
    Remote address:
    184.105.237.199:1555
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|98243646|BISMIZHX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/5/2024|JavaScript-v2.0|GB:United Kingdom
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: freehost222.ddns.net:1555
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    POST
    http://freehost222.ddns.net:1555/is-ready
    wscript.exe
    Remote address:
    184.105.237.199:1555
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|98243646|BISMIZHX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/5/2024|JavaScript-v2.0|GB:United Kingdom
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: freehost222.ddns.net:1555
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    POST
    http://freehost222.ddns.net:1555/is-ready
    wscript.exe
    Remote address:
    184.105.237.199:1555
    Request
    POST /is-ready HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    User-Agent: WSHRAT|98243646|BISMIZHX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/5/2024|JavaScript-v2.0|GB:United Kingdom
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    Host: freehost222.ddns.net:1555
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    wscript.exe
    507 B
    646 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 184.105.237.199:1555
    http://freehost222.ddns.net:1555/is-ready
    http
    wscript.exe
    579 B
    225 B
    5
    5

    HTTP Request

    POST http://freehost222.ddns.net:1555/is-ready
  • 184.105.237.199:1555
    http://freehost222.ddns.net:1555/is-ready
    http
    wscript.exe
    579 B
    225 B
    5
    5

    HTTP Request

    POST http://freehost222.ddns.net:1555/is-ready
  • 184.105.237.199:1555
    http://freehost222.ddns.net:1555/is-ready
    http
    wscript.exe
    579 B
    225 B
    5
    5

    HTTP Request

    POST http://freehost222.ddns.net:1555/is-ready
  • 184.105.237.199:1555
    http://freehost222.ddns.net:1555/is-ready
    http
    wscript.exe
    579 B
    225 B
    5
    5

    HTTP Request

    POST http://freehost222.ddns.net:1555/is-ready
  • 184.105.237.199:1555
    http://freehost222.ddns.net:1555/is-ready
    http
    wscript.exe
    579 B
    225 B
    5
    5

    HTTP Request

    POST http://freehost222.ddns.net:1555/is-ready
  • 184.105.237.199:1555
    http://freehost222.ddns.net:1555/is-ready
    http
    wscript.exe
    487 B
    88 B
    3
    2

    HTTP Request

    POST http://freehost222.ddns.net:1555/is-ready
  • 8.8.8.8:53
    ip-api.com
    dns
    wscript.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    freehost222.ddns.net
    dns
    wscript.exe
    66 B
    82 B
    1
    1

    DNS Request

    freehost222.ddns.net

    DNS Response

    184.105.237.199

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\113a1b4222b39b21e5f61e5b8b5b7f5d_JaffaCakes118.js

    Filesize

    74KB

    MD5

    113a1b4222b39b21e5f61e5b8b5b7f5d

    SHA1

    4f9a37c5f1d708b59b4dae196c89629f7a5496df

    SHA256

    8fa3ffb85ab6ba074db02c05da5ee6462813fbd750bfc1e9bb2bd4cada56fc6b

    SHA512

    bc34b7fd054bd013c2b90c15c73e27df7bffa155d55cc75ba1b388473ade2460fc327d498133490d8bb1cad97a8de000e1323163973738b177df975064c4fbf7

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.