General

  • Target

    ddosL7.bat

  • Size

    14KB

  • Sample

    240621-ramn2swglm

  • MD5

    cf5eda10b8afb767c9aa90c2e60da074

  • SHA1

    be2394dc599ca6d30b910bc96acbf5d83c09aee7

  • SHA256

    35024af1d65a1a627714e6ead42382b5952f97fef015f16634a2ca4c80e58438

  • SHA512

    83a6f144def80543ca523bbf0574d6e133773591b83f9ddf618f29742c92cc200a959db0e9d056ec871ee776aa9c7a0fe0294f366f65465148185e619e861faf

  • SSDEEP

    96:ygDHeGfNhaenzfUP+FdRdIYAsPbPFfIYAuP1D5e1dIYAW7:PrxfnduP

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.232:6666

Mutex

omb7mZjvAq0auoSy

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Java Update Checker (64 bit).exe

aes.plain

Targets

    • Target

      ddosL7.bat

    • Size

      14KB

    • MD5

      cf5eda10b8afb767c9aa90c2e60da074

    • SHA1

      be2394dc599ca6d30b910bc96acbf5d83c09aee7

    • SHA256

      35024af1d65a1a627714e6ead42382b5952f97fef015f16634a2ca4c80e58438

    • SHA512

      83a6f144def80543ca523bbf0574d6e133773591b83f9ddf618f29742c92cc200a959db0e9d056ec871ee776aa9c7a0fe0294f366f65465148185e619e861faf

    • SSDEEP

      96:ygDHeGfNhaenzfUP+FdRdIYAsPbPFfIYAuP1D5e1dIYAW7:PrxfnduP

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks