General
-
Target
JaffaCakes118_66ce275ae44bfac23f7a71c0e3df1e76
-
Size
2.1MB
-
Sample
250107-q8f4gswkbq
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
-
SSDEEP
24576:uKw3pqOTn/rH/I791y2Nd05Zo40U64pb11ndIclNxR2MLkH/hfuCM6J/xPyL5EoA:uKIw7M37TpZF3Tk46xP6nNa9
Malware Config
Targets
-
-
Target
JaffaCakes118_66ce275ae44bfac23f7a71c0e3df1e76
-
Size
2.1MB
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
-
SSDEEP
24576:uKw3pqOTn/rH/I791y2Nd05Zo40U64pb11ndIclNxR2MLkH/hfuCM6J/xPyL5EoA:uKIw7M37TpZF3Tk46xP6nNa9
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-