General

  • Target

    SchoolGcChatRoom(MadeByLogan).exe

  • Size

    719KB

  • Sample

    240527-pmn2jadb44

  • MD5

    ebc3d261ef9af94302fa7007e95a8b8d

  • SHA1

    dc91c2baa462716540aa35c1509e1be0028b52f2

  • SHA256

    c67516b52e22d90c2f7eaf23c1ec7dfe69c21e6de1496fb2eda6d9b424bbfa2d

  • SHA512

    44313719cff1c6c8229ea6e510dce7151664de4d9c6eeeaa2d0b4bf551314c6000c88a74889ed770294a4c8e4f4526c88ded4d85438527b28fa5eaa09279a3d7

  • SSDEEP

    12288:pyTgg8qjISyNN6OUuTaK2u5t55CZ8HGCExPWhcBW22qYrcUMrwfjr2lE6iy:p4B1qNXUuTaqAgHuWuB32qYoU+wfjrN6

Malware Config

Extracted

Family

xworm

C2

auto-london.gl.at.ply.gg:51655

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

Targets

    • Target

      SchoolGcChatRoom(MadeByLogan).exe

    • Size

      719KB

    • MD5

      ebc3d261ef9af94302fa7007e95a8b8d

    • SHA1

      dc91c2baa462716540aa35c1509e1be0028b52f2

    • SHA256

      c67516b52e22d90c2f7eaf23c1ec7dfe69c21e6de1496fb2eda6d9b424bbfa2d

    • SHA512

      44313719cff1c6c8229ea6e510dce7151664de4d9c6eeeaa2d0b4bf551314c6000c88a74889ed770294a4c8e4f4526c88ded4d85438527b28fa5eaa09279a3d7

    • SSDEEP

      12288:pyTgg8qjISyNN6OUuTaK2u5t55CZ8HGCExPWhcBW22qYrcUMrwfjr2lE6iy:p4B1qNXUuTaqAgHuWuB32qYoU+wfjrN6

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks