Extracted

• • Target

    480774d572be34a6c485359e9d52bf73_JaffaCakes118

  • Size

    6.6MB

  • MD5

    480774d572be34a6c485359e9d52bf73

  • SHA1

    f531849a3e3556e298fe74cdbfae6aeea1e8213e

  • SHA256

    e0a6cbb68611c4fdcf712351c6c58681b4712314af8c45db041bd3e0eab83b5a

  • SHA512

    82546b6dd53df8a4c814cc79eb91086654d78026ae6e33b5d05cc616e7e623d25fd85b6f32322c2a6f42a059005de4d036a4285fae463b501f313e7404125679

  • SSDEEP

    196608:vW6g25nOkkU4mBkXNH1Zuortw9Zh0wxqw5aN+Np:a211kH/p1Mx9fxMNSp

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT payload

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2