xworm | 9a5aa8cb01e9e8433be99871b15bcb29818c2a3936a4e8e55159841b4dd886b4

General

Target

svchost.exe
Size

16.8MB
MD5

2971c9858f9e94a07bd1b28b5aa6fe5e
SHA1

a4fb4dee0bcffddbecd2c92a4395dbbdde7ae1ff
SHA256

9a3218bd2e4559b2c6b178c27cb82b458c7e2f11100020d691c8c51e900e573e
SHA512

78225d678a99780db4dea6c07087455812bd87a19d7a3454280a8f3cfacadf8f34aa3e1797691740751cc00af374248dc51318b3033927ac519c2c5bc0e5edd6
SSDEEP

393216:ilcMFzYch/5ChO7IBhgOXSrKWv/C4ffpANVoUuWa:4cMFz/IzgOCZoNV2W

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:52195

schedule-lambda.gl.at.ply.gg:52195

Attributes

Install_directory
%AppData%
install_file
jojiware.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000c000000023b25-6.dat	family_xworm
behavioral3/memory/456-13-0x00000000004D0000-0x00000000004E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1348	powershell.exe
388	powershell.exe
4052	powershell.exe
1940	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	jojiware.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojiware.lnk	jojiware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojiware.lnk	jojiware.exe

Executes dropped EXE 3 IoCs

pid	Process
456	jojiware.exe
3796	svchost.exe
3552	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jojiware = "C:\\Users\\Admin\\AppData\\Roaming\\jojiware.exe"	jojiware.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1348	powershell.exe
1348	powershell.exe
388	powershell.exe
388	powershell.exe
4052	powershell.exe
4052	powershell.exe
1940	powershell.exe
1940	powershell.exe
456	jojiware.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	jojiware.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	456	jojiware.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
456	jojiware.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 456	2612	svchost.exe	86
PID 2612 wrote to memory of 456	2612	svchost.exe	86
PID 2612 wrote to memory of 3796	2612	svchost.exe	87
PID 2612 wrote to memory of 3796	2612	svchost.exe	87
PID 2612 wrote to memory of 3796	2612	svchost.exe	87
PID 3796 wrote to memory of 3552	3796	svchost.exe	88
PID 3796 wrote to memory of 3552	3796	svchost.exe	88
PID 456 wrote to memory of 1348	456	jojiware.exe	94
PID 456 wrote to memory of 1348	456	jojiware.exe	94
PID 456 wrote to memory of 388	456	jojiware.exe	97
PID 456 wrote to memory of 388	456	jojiware.exe	97
PID 456 wrote to memory of 4052	456	jojiware.exe	99
PID 456 wrote to memory of 4052	456	jojiware.exe	99
PID 456 wrote to memory of 1940	456	jojiware.exe	101
PID 456 wrote to memory of 1940	456	jojiware.exe	101

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Roaming\jojiware.exe
  "C:\Users\Admin\AppData\Roaming\jojiware.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\jojiware.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jojiware.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\jojiware.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jojiware.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytujohdy.s4a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\jojiware.exe

Filesize
73KB

MD5
6b46fdd8de4f584cf6bcfbc8a5ceef27

SHA1
70cc2f46462a8ac3fcb0bb1700420b117a0b33c4

SHA256
cb472f4e1ff93e2977f942ddb303d2fa727064886d72c64b1e99d7c94648b470

SHA512
c2d0051b0b07c3d840cc38ba03e9bbc900ad2270d60fa015b1e9266238832688bab6cdb821a7919189776d3056970bbd7206f420538f77989d7603dcd8ee5695

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
16.7MB

MD5
9bf3b17dea674ab092045dcfb342a14b

SHA1
b1bdbd60cbfa842e2888af7a839d2cba7d3dd833

SHA256
5a3d98f9cf3cf00caa2184f35f67d8752541da688788986e83771b81a46eaa21

SHA512
d968797b40df20b012c16a19844bbefcb14c2d3713b92ab7d399481e8fe96e48a61560dfe57b693e44c69669c51acbe5e2a1c5f7ca5f60fc5fde2bac4d4d490f

Download Submit
C:\Windows\svchost.exe

Filesize
16.7MB

MD5
2ad3cc7c4ecd822f58c49b6bc9a3c8fa

SHA1
d4515faedc4e35657585ab4974c3c5012a10a7c9

SHA256
0d19e5b69dd4daddb42a50fe75ed28435a58539a5cde6f14e5a6ac05a95b1f49

SHA512
37e42a859c11d77b0fae019952c631b7190c301b9e02656275ef45d64b6cc38372adb3598413a42e044516ee525be872fd2e225b7fbd49f26005a008df6c1cdd

Download Submit
memory/456-35-0x00007FFA20360000-0x00007FFA20E21000-memory.dmp

Filesize
10.8MB

Download
memory/456-14-0x00007FFA20360000-0x00007FFA20E21000-memory.dmp

Filesize
10.8MB

Download
memory/456-13-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/1348-36-0x00000165D0C70000-0x00000165D0C92000-memory.dmp

Filesize
136KB

Download
memory/2612-0-0x00007FFA20363000-0x00007FFA20365000-memory.dmp

Filesize
8KB

Download
memory/2612-1-0x0000000000D50000-0x0000000001E1A000-memory.dmp

Filesize
16.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads