General
-
Target
yke.exe
-
Size
16.8MB
-
Sample
241113-rldkhssqav
-
MD5
2971c9858f9e94a07bd1b28b5aa6fe5e
-
SHA1
a4fb4dee0bcffddbecd2c92a4395dbbdde7ae1ff
-
SHA256
9a3218bd2e4559b2c6b178c27cb82b458c7e2f11100020d691c8c51e900e573e
-
SHA512
78225d678a99780db4dea6c07087455812bd87a19d7a3454280a8f3cfacadf8f34aa3e1797691740751cc00af374248dc51318b3033927ac519c2c5bc0e5edd6
-
SSDEEP
393216:ilcMFzYch/5ChO7IBhgOXSrKWv/C4ffpANVoUuWa:4cMFz/IzgOCZoNV2W
Malware Config
Extracted
xworm
127.0.0.1:52195
schedule-lambda.gl.at.ply.gg:52195
-
Install_directory
%AppData%
-
install_file
jojiware.exe
Targets
-
-
Target
yke.exe
-
Size
16.8MB
-
MD5
2971c9858f9e94a07bd1b28b5aa6fe5e
-
SHA1
a4fb4dee0bcffddbecd2c92a4395dbbdde7ae1ff
-
SHA256
9a3218bd2e4559b2c6b178c27cb82b458c7e2f11100020d691c8c51e900e573e
-
SHA512
78225d678a99780db4dea6c07087455812bd87a19d7a3454280a8f3cfacadf8f34aa3e1797691740751cc00af374248dc51318b3033927ac519c2c5bc0e5edd6
-
SSDEEP
393216:ilcMFzYch/5ChO7IBhgOXSrKWv/C4ffpANVoUuWa:4cMFz/IzgOCZoNV2W
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-