General

  • Target

    https://cdn.discordapp.com/attachments/1253255524330246195/1253629125000957993/bytecode.rar?ex=66768c9a&is=66753b1a&hm=2555e33976aab06a13465b3448bc1b727b64e0457dd117cf46564edd5677ea60&

  • Sample

    240621-kkww5sxcjm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7110

192.168.1.17:7110

Attributes
  • Install_directory

    %AppData%

  • install_file

    Window corporation.exe

Targets

    • Target

      https://cdn.discordapp.com/attachments/1253255524330246195/1253629125000957993/bytecode.rar?ex=66768c9a&is=66753b1a&hm=2555e33976aab06a13465b3448bc1b727b64e0457dd117cf46564edd5677ea60&

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks