General
-
Target
JaffaCakes118_429b44e4d42d801dad356adfdcb434b29fc3bf1e24a750481b5a93742400b8e2
-
Size
1.0MB
-
Sample
241225-hkg2wa1jbm
-
MD5
d2f0f3c7c907f630742d4c4ebe5b1500
-
SHA1
d1a9ce0200c8d640db3e6da384f4a7782c472488
-
SHA256
429b44e4d42d801dad356adfdcb434b29fc3bf1e24a750481b5a93742400b8e2
-
SHA512
660940f28731e4ee326966363da1241303c170a0530116c332985a70a160b31494aeca3c4a7bf4f7ce36a0069cb9fe8e66ca3b31f52f168b566413ffdb825162
-
SSDEEP
24576:DhYtyadBPR3thS2sq3uzq7ZkPvnZnlnqB8kq9uvjUlN4Qd:DhYLPtoqdk3PqSubUH4e
Malware Config
Targets
-
-
Target
BLindex.exe
-
Size
1.1MB
-
MD5
d070bf6585deded9e331ae77de76fcc4
-
SHA1
74c5e44d48b86414cbe8e604bb24fe03a5ced634
-
SHA256
a2b55ffb492faeced1033c534e4f462d3c0ac9f914f991361ba67067538a05d1
-
SHA512
b5e146eb60acbb68c2385370784f9fa5e8ba8e221ef5fffbe16ebb58108314ef7c0941d51e35608f108666e3093286c636e59931eb0286a6075a57ee52b3c0e8
-
SSDEEP
24576:Yma+QZG0nbLYR1yTb6h0BacWadNihTIvGn7Rk3w6hWNudTzIfAH:jcZnbLYXyTb6oacjosOu8O0G
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-