Extracted

• • Target

    f1b82a62136c2eec21b2d3f94a8beea7_JaffaCakes118

  • Size

    553KB

  • MD5

    f1b82a62136c2eec21b2d3f94a8beea7

  • SHA1

    bbe3a1a2b522912101b5e8edc739f7cdb5fdbdf6

  • SHA256

    abce6b27c63269c3b77de0434f8a864aaa69938d57f6fb14476a7ac4bf689731

  • SHA512

    deec23222fc1a48a208b60945d6a2483b2ad415f8137648425d5e7ccc7bf09d8734b9a542852d780afd7dbc62fb7b187774f0065473a4f17c518d3e7da2fd9d8

  • SSDEEP

    6144:fBd+sYvDno89PB9UeOBSYFVTW10ktwYW7SOpmM8SYKB4/10p6HN:tp6HN

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2