Overview

overview

10

Static

static

3

jojiware-driver.dll

windows10-2004-x64

1

kdmapper_Release.exe

windows10-2004-x64

1

svchost.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DESKTOP.rar

  • Size

    12.4MB

  • Sample

    241115-vnj2vsxhqg

  • MD5

    c3c41e24e445e6515a8482fa15cfdffc

  • SHA1

    b03dcb29a01992d28c3f8dc445a2d507922604b9

  • SHA256

    9a5aa8cb01e9e8433be99871b15bcb29818c2a3936a4e8e55159841b4dd886b4

  • SHA512

    9c5924f628419eef414b01442fa0dc8f0cae2652c3447fd59acf4b45975cb93d91381f78b8f76dbdd3900f04b973f550d1e0af75159fda006e636f85f3466814

  • SSDEEP

    196608:5N4TCc98Mg10zUelRq4Yate7+Zw2gAK2Qv6J5MpssLgDGjQ1tsxrPqujmb+SPuko:5N9w20BxY3+pgbBuEL/c1uxuW4ut

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:52195

schedule-lambda.gl.at.ply.gg:52195
Attributes
  • Install_directory

    %AppData%

  • install_file

    jojiware.exe

Targets

    • Target

      jojiware-driver.sys

    • Size

      617KB

    • MD5

      79c775a07ac57b88c94027e574c11eff

    • SHA1

      de0a33c6210c72b23a64bd2031c0ae20b10a8d02

    • SHA256

      96f8e95f21413adb073b8a467f7da00495386330970cd9e082151b20886023ac

    • SHA512

      c1b89b7d38b802e667028ba14c3f55223dcb9a121f1ba040c3479439f535458fc1f337b44858d7f2f93890fc3b3cdd729fef457639c2579b2ef072098c8e1bf6

    • SSDEEP

      12288:jdU6NRc+Ho+27D5x1rdy6px46mYqUCHtyzXxVYx19gah:jOme+o79vrdyM46yUCHtyzhVEnXh

    Score
    1/10
    behavioral1

    • Target

      kdmapper_Release.exe

    • Size

      136KB

    • MD5

      efd774338e9f50a1a0f8d90c4295c142

    • SHA1

      32182748ae69f53808c7abc56d472e07f8824aba

    • SHA256

      9fbacd0bf4b6532e324c327ab84483ca7b2c0e390fb84a3c13a258c20b0e15c3

    • SHA512

      0bb5fd62bcc8b3f85a53c4d2aa1c277c7ecc8ee09dd809596d2f439d3f0749638a651416e5f8ec18ec9debbad7bdeedbea8492c85dc298d4f20c340555cb196f

    • SSDEEP

      3072:4AjOlKvd6vifOkwZNmJTQSaMm5/6seUPwXJooc8eR:4AuKvd6Q0+WlneUCNa

    Score
    1/10
    behavioral2

    • Target

      svchost.exe

    • Size

      16.8MB

    • MD5

      2971c9858f9e94a07bd1b28b5aa6fe5e

    • SHA1

      a4fb4dee0bcffddbecd2c92a4395dbbdde7ae1ff

    • SHA256

      9a3218bd2e4559b2c6b178c27cb82b458c7e2f11100020d691c8c51e900e573e

    • SHA512

      78225d678a99780db4dea6c07087455812bd87a19d7a3454280a8f3cfacadf8f34aa3e1797691740751cc00af374248dc51318b3033927ac519c2c5bc0e5edd6

    • SSDEEP

      393216:ilcMFzYch/5ChO7IBhgOXSrKWv/C4ffpANVoUuWa:4cMFz/IzgOCZoNV2W

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks