Overview

overview

10

Static

static

3

b12ecb2ee2...18.exe

windows7-x64

10

b12ecb2ee2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b12ecb2ee2eb06b0a5fe08f475cd68f4_JaffaCakes118

  • Size

    545KB

  • Sample

    240820-2wx21sxfqa

  • MD5

    b12ecb2ee2eb06b0a5fe08f475cd68f4

  • SHA1

    8fe2b060edfa5b631dc99f53ec246cba1f8dfe6d

  • SHA256

    86f701c004025b36a83943d91f033e4e7c3c37f35b51f8a678db378b6be13cb0

  • SHA512

    c744497ec302e702bf288f6cbefe840fd4c33336ce98d47fd1a9b1e54bed8629a3d1ddc2e0be807c0f67c2e99c473064da56ac9c2e41d3630f29fa2ec4d10277

  • SSDEEP

    12288:aB3IZiz2SIXH6xR/phKPt8cjM9whepUoDem/YBStirFrLO2ieRbFk9ZtKVQ3Oqb5:cIBcsehEiTK8

Score
10/10
wshratdiscoverypersistencetrojan

Malware Config

Targets

    • Target

      b12ecb2ee2eb06b0a5fe08f475cd68f4_JaffaCakes118

    • Size

      545KB

    • MD5

      b12ecb2ee2eb06b0a5fe08f475cd68f4

    • SHA1

      8fe2b060edfa5b631dc99f53ec246cba1f8dfe6d

    • SHA256

      86f701c004025b36a83943d91f033e4e7c3c37f35b51f8a678db378b6be13cb0

    • SHA512

      c744497ec302e702bf288f6cbefe840fd4c33336ce98d47fd1a9b1e54bed8629a3d1ddc2e0be807c0f67c2e99c473064da56ac9c2e41d3630f29fa2ec4d10277

    • SSDEEP

      12288:aB3IZiz2SIXH6xR/phKPt8cjM9whepUoDem/YBStirFrLO2ieRbFk9ZtKVQ3Oqb5:cIBcsehEiTK8

    Score
    10/10
    wshratdiscoverypersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks