Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    mnjxai.exe

  • Size

    29KB

  • Sample

    240828-z4zvgayclj

  • MD5

    f2867efa7b2c31827f4e9d7c7ed5a5e1

  • SHA1

    412f7653714eab545ed97f27d4af40b8f22d11e5

  • SHA256

    bcca89e8ec351c026bb6650860d4ff0f1ed2bc02ee4874adfa57b1a464ac629b

  • SHA512

    5dce27f7fad31bd6149022002a81a849f4222b18da1aad4298834aa04514a42a1b9e7c68aa67bf572254ac8db9dfe42d87e551fe32a83d23b8432cf8608ac485

  • SSDEEP

    384:uzLn3QQwuJ+XJaQaZcxp9tTv1GBHY9VePKE1Fho4HW5431vtVkdrMAwhx0Vo/On9:Kn1wcmBFVQdPKExW54+d5MN/4h5

Malware Config

Extracted

Family

xworm

Version

5.0

C2

mode-clusters.gl.at.ply.gg:36304

Mutex

4ve1OmdqYAgbmjh9

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      mnjxai.exe

    • Size

      29KB

    • MD5

      f2867efa7b2c31827f4e9d7c7ed5a5e1

    • SHA1

      412f7653714eab545ed97f27d4af40b8f22d11e5

    • SHA256

      bcca89e8ec351c026bb6650860d4ff0f1ed2bc02ee4874adfa57b1a464ac629b

    • SHA512

      5dce27f7fad31bd6149022002a81a849f4222b18da1aad4298834aa04514a42a1b9e7c68aa67bf572254ac8db9dfe42d87e551fe32a83d23b8432cf8608ac485

    • SSDEEP

      384:uzLn3QQwuJ+XJaQaZcxp9tTv1GBHY9VePKE1Fho4HW5431vtVkdrMAwhx0Vo/On9:Kn1wcmBFVQdPKExW54+d5MN/4h5

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks