Resubmissions

18-10-2024 20:33

241018-zbw8waydrn 10

18-10-2024 20:16

241018-y2b5yswdld 10

General

  • Target

    skibidi toilet.bat

  • Size

    385KB

  • Sample

    241018-zbw8waydrn

  • MD5

    bd4af530d004a712f796171f4c748bd0

  • SHA1

    22b50637859441a9024bef4c367f4ddb4bc12a9c

  • SHA256

    57e2b4dc37fad695aaf7cd4841e37d66c7a84fe61eefbc1183261b628ac87dbf

  • SHA512

    b7266ca4041ec8c1b9b59b0075d154c6100f8431903701522c51c31cfcece84ccec2623dad9a9a13b266e6d252f7393c27536994ef76c079f5f18bd9e66f126b

  • SSDEEP

    6144:UfSqeucViW45gbfeJxrvJYYVOfpsMRxUQvRRTpFvGHk46g+o:Uz4C3JdngbIMRZfeHF

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:25993

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      skibidi toilet.bat

    • Size

      385KB

    • MD5

      bd4af530d004a712f796171f4c748bd0

    • SHA1

      22b50637859441a9024bef4c367f4ddb4bc12a9c

    • SHA256

      57e2b4dc37fad695aaf7cd4841e37d66c7a84fe61eefbc1183261b628ac87dbf

    • SHA512

      b7266ca4041ec8c1b9b59b0075d154c6100f8431903701522c51c31cfcece84ccec2623dad9a9a13b266e6d252f7393c27536994ef76c079f5f18bd9e66f126b

    • SSDEEP

      6144:UfSqeucViW45gbfeJxrvJYYVOfpsMRxUQvRRTpFvGHk46g+o:Uz4C3JdngbIMRZfeHF

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks