General
-
Target
ddosL7.bat
-
Size
14KB
-
Sample
240621-ramn2swglm
-
MD5
cf5eda10b8afb767c9aa90c2e60da074
-
SHA1
be2394dc599ca6d30b910bc96acbf5d83c09aee7
-
SHA256
35024af1d65a1a627714e6ead42382b5952f97fef015f16634a2ca4c80e58438
-
SHA512
83a6f144def80543ca523bbf0574d6e133773591b83f9ddf618f29742c92cc200a959db0e9d056ec871ee776aa9c7a0fe0294f366f65465148185e619e861faf
-
SSDEEP
96:ygDHeGfNhaenzfUP+FdRdIYAsPbPFfIYAuP1D5e1dIYAW7:PrxfnduP
Static task
static1
Malware Config
Extracted
xworm
5.0
45.141.26.232:6666
omb7mZjvAq0auoSy
-
Install_directory
%ProgramData%
-
install_file
Java Update Checker (64 bit).exe
Targets
-
-
Target
ddosL7.bat
-
Size
14KB
-
MD5
cf5eda10b8afb767c9aa90c2e60da074
-
SHA1
be2394dc599ca6d30b910bc96acbf5d83c09aee7
-
SHA256
35024af1d65a1a627714e6ead42382b5952f97fef015f16634a2ca4c80e58438
-
SHA512
83a6f144def80543ca523bbf0574d6e133773591b83f9ddf618f29742c92cc200a959db0e9d056ec871ee776aa9c7a0fe0294f366f65465148185e619e861faf
-
SSDEEP
96:ygDHeGfNhaenzfUP+FdRdIYAsPbPFfIYAuP1D5e1dIYAW7:PrxfnduP
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-