Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
15/05/2024, 21:04
General
-
Target
480774d572be34a6c485359e9d52bf73_JaffaCakes118.exe
-
Size
6.6MB
-
MD5
480774d572be34a6c485359e9d52bf73
-
SHA1
f531849a3e3556e298fe74cdbfae6aeea1e8213e
-
SHA256
e0a6cbb68611c4fdcf712351c6c58681b4712314af8c45db041bd3e0eab83b5a
-
SHA512
82546b6dd53df8a4c814cc79eb91086654d78026ae6e33b5d05cc616e7e623d25fd85b6f32322c2a6f42a059005de4d036a4285fae463b501f313e7404125679
-
SSDEEP
196608:vW6g25nOkkU4mBkXNH1Zuortw9Zh0wxqw5aN+Np:a211kH/p1Mx9fxMNSp
Malware Config
Extracted
wshrat
http://freehost222.ddns.net:1555
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload 1 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\480774d572be34a6c485359e9d52bf73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\480774d572be34a6c485359e9d52bf73_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xEnigma32g.exe"C:\Users\Admin\AppData\Local\Temp\xEnigma32g.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xLicense.js"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xLicense.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5165871e449aff3bcb0e39cf7844ac512
SHA107c578daefaa429f2c689d129ad2550e6e498900
SHA256fb30eadcf2ed6162142941d6282e4ef11134d3a16b711373abb9dada1235b002
SHA512a126152c2cb0b147eb4f6900e276cd80e8cc661395dbcd298360952d5d7f9154cbea4344579e1b43526bbe3d768a14e2f9467eeb0dc210dee12db930c7af56f0
-
Filesize
118KB
MD5ce9fc3f1e3d6613b95be547853e778d9
SHA132dcddfe783545087df170d01c001d1e8cc00de7
SHA256a239dab614ef4ad6c7da27fd67564614f0bb273aa4fb10a3033e4e6ad2572787
SHA51219d68d65417eed27c6ac813df1751e8ccdb6e525ed0004965581d4290a5b953082809ea2b650014a3ccebbba8d620fbaa4e91cdd170ebf1d2487534238a2498c
-
Filesize
16.8MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
584KB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.5MB