Overview

overview

10

Static

static

10

Rechnung2498.js

windows7-x64

10

Rechnung2498.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2fb24f837e6264063b4e6d1f67a91094_JaffaCakes118

  • Size

    116KB

  • Sample

    240709-knyvxaxhka

  • MD5

    2fb24f837e6264063b4e6d1f67a91094

  • SHA1

    cad775147c9826fbc1fe5377a3bfb53f364358c6

  • SHA256

    480402d50da0d411c886bad96a179f93cd6de992c7084c6098fde2dd527b1fd8

  • SHA512

    bb359c0884b6c611283389f2f81c71de8d0620604660b30f87df86008e8e97cdf2dffc12057b756c5841195bdcd860200df6da8e09d387a8bc8e53b3159fad46

  • SSDEEP

    3072:1BIXlF8txCD+iarI/k924oqRjYznzLJIIYSiKmke28NHSbCPDo:1Yw6+nrIsY4oqRjYzv5YRfEj

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Targets

    • Target

      Rechnung2498.js

    • Size

      179KB

    • MD5

      093aa4289d9d8d8315ab0ea9b306f0a0

    • SHA1

      0316c6e558148a10d0acf63bc84f53ca315b1acf

    • SHA256

      39f7abd459bda03744d7d1dfb7dd15b2204014d75f20d86a13789648d6f44b1d

    • SHA512

      ddea7839a14759a27d17578850fb473f720bf911cb9d6e56c3e55a963eca51a85ae1706d2f8bca31b216fa7ef2457135dd1a198008203e6635cb73fd3df985f8

    • SSDEEP

      3072:+p1gHeX3reXqf6ZKOBRY+7Q0bamKZtvEzKbURCqeGK/6SbIpklgVDSxGfmuZyas:+p1gHeX3reXqf6ZKwRY+cM24RCqeGKZR

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks