xworm | f9e6ac8416e5d9008770b79f7621c1b6769b5bb4fa3b7233e2654dc86927683d | Triage

Submit
Reports

Overview

overview

Static

static

3

jiggycool.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

jiggycool.exe
Size

5.3MB
Sample

240913-zt5mzazaja
MD5

6c456c5fd2f355394f5cef55902805d2
SHA1

aaa68d5888ad38a3e37c689e425424188fad4f1e
SHA256

f9e6ac8416e5d9008770b79f7621c1b6769b5bb4fa3b7233e2654dc86927683d
SHA512

1e8db23de44bcb78620724eb7435b6ff0efa73cb0155feb72200e98042cd62e458a9c5946004086c3529a0e0dbb930275d689e6d981e68168214cf4859385f71
SSDEEP

98304:++2p3/9yx7AQO0pW44GKkJu38pbnSLuXEJisbgVr0pC1sloAl/RedB:Y/9yx7AQOEW3l6uspnTWcr0QOiCZ

Score

10^/10

xworm discovery evasion persistence privilege_escalation ransomware rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

jiggycool.exe

Resource

win11-20240802-en

xworm discovery evasion persistence privilege_escalation ransomware rat themida trojan

windows11-21h2-x64

27 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

alternative-pill.gl.at.ply.gg:40543

Mutex

xTt0pJ05czkYxT70

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  jiggycool.exe
- Size
  
  5.3MB
- MD5
  
  6c456c5fd2f355394f5cef55902805d2
- SHA1
  
  aaa68d5888ad38a3e37c689e425424188fad4f1e
- SHA256
  
  f9e6ac8416e5d9008770b79f7621c1b6769b5bb4fa3b7233e2654dc86927683d
- SHA512
  
  1e8db23de44bcb78620724eb7435b6ff0efa73cb0155feb72200e98042cd62e458a9c5946004086c3529a0e0dbb930275d689e6d981e68168214cf4859385f71
- SSDEEP
  
  98304:++2p3/9yx7AQO0pW44GKkJu38pbnSLuXEJisbgVr0pC1sloAl/RedB:Y/9yx7AQOEW3l6uspnTWcr0QOiCZ
Score

10^/10

xworm discovery evasion persistence privilege_escalation ransomware rat themida trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xwormdiscoveryevasionpersistenceprivilege_escalationransomwareratthemidatrojan

© 2018-2025

Terms | Privacy