Overview

overview

10

Static

static

1

JaffaCakes...e76.js

windows7-x64

10

JaffaCakes...e76.js

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_66ce275ae44bfac23f7a71c0e3df1e76.js

  • Size

    2.1MB

  • MD5

    66ce275ae44bfac23f7a71c0e3df1e76

  • SHA1

    a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce

  • SHA256

    46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633

  • SHA512

    94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe

  • SSDEEP

    24576:uKw3pqOTn/rH/I791y2Nd05Zo40U64pb11ndIclNxR2MLkH/hfuCM6J/xPyL5EoA:uKIw7M37TpZF3Tk46xP6nNa9

Score
10/10
wshratdiscoveryexecutionpersistencetrojan

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 1 IoCs
  • Wshrat family
    wshrat
  • Blocklisted process makes network request 14 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ce275ae44bfac23f7a71c0e3df1e76.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
      "C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
        "C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1456
      • C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
        "C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:5008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UV4TX9UP\json[1].json
    Filesize

    291B

    MD5

    c085beeb6f771b90fed94c1d940f97f6

    SHA1

    44a994d9175d6abaa9a3b5718e242fa659aed66a

    SHA256

    ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

    SHA512

    9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
    Filesize

    527KB

    MD5

    40acb53d42e4b4d20a0111e6dd847606

    SHA1

    d010be1ba9ceea60098bebbfee425c0cda66b9a2

    SHA256

    213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

    SHA512

    a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\61849594\amihgkew.urb
    Filesize

    1.0MB

    MD5

    393bff19f709832ddbd70230f2ccc714

    SHA1

    8f605c8557d61a1049f4bd0614165f713b6dcecd

    SHA256

    6e21b346428b764227858b3c69e6c96ce4bf275715cc3b129065dcc41eace024

    SHA512

    b00f498f8576e38edf094ca0337b406d8890f76829e0941fc6974ca4ca9fb20290c928990bcf37a748423a52ac509f8661cb0337df6b003322951acb71923130

    Download Submit

  • C:\Users\Admin\AppData\Roaming\61849594\aolgrnrpt.log
    Filesize

    36KB

    MD5

    a1e3f47b52737f7a0d5136b89369b2f2

    SHA1

    37cd3f1073d88e938023915a4196b3ffcbe0dad9

    SHA256

    6ca30a0b9918922c3c3408b48399736998d41b34c2345e9cec712ac132c95ae0

    SHA512

    22ad5473ecc6bb9046f93378a4810ea1966b68567e7875e59b23a62180c62b81a4ae52a4fdfbdeb0bcba524b40223b000158e77067ebf3c5242098a6bff3725e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
    Filesize

    758KB

    MD5

    1d7071dd5cda216508b235c0e2318b05

    SHA1

    0b972fbc1ea8a47204b2a187e608744a4e947bc2

    SHA256

    788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

    SHA512

    65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EkoHX.vbs
    Filesize

    180KB

    MD5

    952b1cbd78885f81760a77dc3b453fd3

    SHA1

    4af75b46620b063fc23652c3ecaa3b4081074572

    SHA256

    fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

    SHA512

    1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
    Filesize

    1.6MB

    MD5

    4183142d3de98c340787c751ae2f8d03

    SHA1

    7b7161f73a3100eea2d67fbdf66488f322408c55

    SHA256

    c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb

    SHA512

    8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88

    Download Submit

  • memory/2852-89-0x0000000000900000-0x000000000098A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2852-88-0x0000000000900000-0x0000000000F77000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4912-69-0x0000000072820000-0x0000000072DD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4912-78-0x0000000072820000-0x0000000072DD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4912-70-0x0000000072820000-0x0000000072DD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4912-68-0x0000000072822000-0x0000000072823000-memory.dmp

    Filesize

    4KB

    Download