General
-
Target
JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2
-
Size
1.6MB
-
Sample
250107-fzcdtsxqhq
-
MD5
4fb831a65cce2392df4c5f792dad31e2
-
SHA1
887b24b866d5ad917273a3e8391ba785a5ba90a5
-
SHA256
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
-
SHA512
c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5
-
SSDEEP
24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZB
Malware Config
Targets
-
-
Target
JaffaCakes118_4fb831a65cce2392df4c5f792dad31e2
-
Size
1.6MB
-
MD5
4fb831a65cce2392df4c5f792dad31e2
-
SHA1
887b24b866d5ad917273a3e8391ba785a5ba90a5
-
SHA256
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
-
SHA512
c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5
-
SSDEEP
24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZB
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-