General

  • Target

    Mercurial.exe

  • Size

    3.8MB

  • Sample

    240905-xfyamaxhmb

  • MD5

    b6c6a47a70160d6b30eb4d3225f1306f

  • SHA1

    0878b089fbf5693ea467cfc717ae52c1b34b23d1

  • SHA256

    68b6e064902280feb25019fdf18be56b92007121ead420c151b3b90c15fd258e

  • SHA512

    aa13e39e4e55130a1560804a35eb85a36ed666930fa1ecfb959e2656285c3ba718b06510780f123302682ceed4de8d119a7afcdcbf9ffe0d30510f10ff550064

  • SSDEEP

    98304:lnsmtk2au0fGFljBc0ktzd8dMBv3inJh1w1KxWHMmuyl:5LnFlthsBYMBv3Q0ZsmuK

Malware Config

Extracted

Family

xworm

Version

3.1

C2

jajaovh.duckdns.org:1605

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Targets

    • Target

      Mercurial.exe

    • Size

      3.8MB

    • MD5

      b6c6a47a70160d6b30eb4d3225f1306f

    • SHA1

      0878b089fbf5693ea467cfc717ae52c1b34b23d1

    • SHA256

      68b6e064902280feb25019fdf18be56b92007121ead420c151b3b90c15fd258e

    • SHA512

      aa13e39e4e55130a1560804a35eb85a36ed666930fa1ecfb959e2656285c3ba718b06510780f123302682ceed4de8d119a7afcdcbf9ffe0d30510f10ff550064

    • SSDEEP

      98304:lnsmtk2au0fGFljBc0ktzd8dMBv3inJh1w1KxWHMmuyl:5LnFlthsBYMBv3Q0ZsmuK

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks