General
-
Target
JavaScript.exe
-
Size
45KB
-
Sample
240523-s31xtagb25
-
MD5
f820ce3ab4a45a4e512a03eb04e5a4f8
-
SHA1
ad8cebc70092daf23cabfc764c32d2556b02567c
-
SHA256
48197dddf561852493a4a9c06b9e8a84015a16cd5dc131cccf7a528124790d95
-
SHA512
14f4855a4ac220ab11fd14ead8baa19e812edada9ddc288161a159b5868855dee7de75e0288b76889eb5c0f0031c1b04f165ead393847cf1ae22d41747b1100f
-
SSDEEP
768:gcNFC/wJSlFE1d15PhntpqOTDMFHFEPG9PMDOChSzYiXb1:gzwJS3yVQJF19PMDOC45Xb1
Behavioral task
behavioral1
Sample
JavaScript.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
JavaScript.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
JavaScript.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
5.0
78.34.61.197:4782
yRVcxFHrInqhyusF
-
Install_directory
%ProgramData%
-
install_file
Runtime Broker.exe
Targets
-
-
Target
JavaScript.exe
-
Size
45KB
-
MD5
f820ce3ab4a45a4e512a03eb04e5a4f8
-
SHA1
ad8cebc70092daf23cabfc764c32d2556b02567c
-
SHA256
48197dddf561852493a4a9c06b9e8a84015a16cd5dc131cccf7a528124790d95
-
SHA512
14f4855a4ac220ab11fd14ead8baa19e812edada9ddc288161a159b5868855dee7de75e0288b76889eb5c0f0031c1b04f165ead393847cf1ae22d41747b1100f
-
SSDEEP
768:gcNFC/wJSlFE1d15PhntpqOTDMFHFEPG9PMDOChSzYiXb1:gzwJS3yVQJF19PMDOC45Xb1
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-