XWorm Malware Teknik Analiz Raporu
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 2669bacd-ff8d-44c1-96b7-4449c281d567 |
| Fingerprint | cea12299ecb964b3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 23, 2024, 2:23 p.m. |
| Added to db | Sept. 23, 2024, 4:36 p.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | XWorm Malware Teknik Analiz Raporu |
| Title | XWorm Malware Teknik Analiz Raporu |
| Detected Hints/Tags/Attributes | 39/2/25 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 171 | ✔ | Malware on Medium | https://medium.com/feed/tag/malware | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 358 | pastebin.com |
|
| Details | Domain | 1 | qsjksd-22439.portmap.host |
|
| Details | Domain | 145 | api.telegram.org |
|
| Details | Domain | 1 | myapplication.org |
|
| Details | Domain | 149 | system.security |
|
| Details | Domain | 9 | opcodes.call |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | File | 7 | edge.exe |
|
| Details | File | 9 | avicap32.dll |
|
| Details | File | 1 | xclient.exe |
|
| Details | File | 1 | c:\users\admin\downloads\buidl.exe |
|
| Details | File | 13 | dnlib.dot |
|
| Details | File | 4 | rijndaelmanaged.key |
|
| Details | File | 1 | c:\users\aycagl\desktop\buidl.exe |
|
| Details | File | 1 | c:\users\aycagl\desktop\clean.exe |
|
| Details | File | 249 | schtasks.exe |
|
| Details | File | 30 | shutdown.exe |
|
| Details | sha256 | 1 | 8ca7c43f383d3214f469a18fcc30436f472f9bd3d9b6134aea5d61a523665659 |
|
| Details | IPv4 | 1 | 192.161.193.99 |
|
| Details | IPv4 | 11 | 149.154.167.220 |
|
| Details | Url | 33 | https://api.telegram.org/bot |
|
| Details | Yara rule | 1 | rule Suspicious_Persistence_Indicators {
meta:
description = "Detects suspicious persistence mechanisms via registry, shortcuts, and scripts"
author = "aycagl - Ayca Gul"
date = "2024-08-15"
reference = "XWorm V5.6"
strings:
$scheduled = "schtasks.exe" wide fullword
$task_highest = "/create /f /RL HIGHEST /sc minute /mo 1 /tn \"" wide fullword
$task_basic = "/create /f /sc minute /mo 1 /tn \"" wide fullword
$registry_run = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide fullword
$wscript_shell = "WScript.Shell" wide fullword
$create_shortcut = "CreateShortcut" wide fullword
$target_path = "TargetPath" wide fullword
$working_directory = "WorkingDirectory" wide fullword
condition:
6 of them
} |
|
| Details | Yara rule | 1 | rule XWorm_Indicators {
meta:
description = "Detects the XWorm malware's send_infos method that sends system information via a Telegram bot"
author = "aycagl - Ayca Gul"
date = "2024-08-15"
reference = "XWorm V5.6"
strings:
$xworm_version = "XWorm V" wide fullword
$new_client = "New Clinet :" wide fullword
$username = "UserName :" wide fullword
$os_fullname = "OSFullName :" wide fullword
$usb = "USB :" wide fullword
$cpu = "CPU :" wide fullword
$gpu = "GPU :" wide fullword
$ram = "RAM :" wide fullword
$group = "Groub :" wide fullword
$telegram_api = "https://api.telegram.org/bot" wide fullword
$send_message = "/sendMessage?chat_id=" wide fullword
$webclient_function = { 00 73 56 00 00 0A 0C 08 02 6F 57 00 00 0A 0A DE 2D }
condition:
6 of them
} |
|
| Details | Yara rule | 1 | rule Malware_Information_Queries {
meta:
description = "Detects malware performing system information queries and persistence setup."
author = "aycagl - Ayca Gul"
date = "2024-08-15"
reference = "XWorm V5.6"
strings:
$query_antivirus = "\\root\\SecurityCenter2" wide fullword
$query_antivirus_product = "Select * from AntivirusProduct" wide fullword
$query_display_name = "displayName" wide fullword
$query_video_controller = "SELECT * FROM Win32_VideoController" wide fullword
$query_processor = "Win32_Processor.deviceid" wide fullword
condition:
4 of them
} |
|
| Details | Yara rule | 1 | rule Malware_Command_Detection {
meta:
description = "Detects specific malware command and function strings"
author = "aycagl - Ayca Gul"
date = "2024-08-15"
reference = "XWorm V5.6"
strings:
$s1 = "pong" wide fullword
$s2 = "CLOSE" wide fullword
$s3 = "uninstall" wide fullword
$s4 = "update" wide fullword
$s5 = "Urlopen" wide fullword
$s6 = "Urlhide" wide fullword
$s7 = "PCShutdown" wide fullword
$s8 = "shutdown.exe /f /s /t 0" wide fullword
$s9 = "PCRestart" wide fullword
$s10 = "shutdown.exe /f /r /t 0" wide fullword
$s11 = "PCLogoff" wide fullword
$s12 = "shutdown.exe -L" wide fullword
$s13 = "RunShell" wide fullword
$s14 = "StartDDos" wide fullword
$s15 = "StopDDos" wide fullword
$s16 = "StartReport" wide fullword
$s17 = "StopReport" wide fullword
$s18 = "Xchat" wide fullword
$s19 = "Hosts" wide fullword
$s20 = "\\drivers\\etc\\hosts" wide fullword
$s21 = "Shosts" wide fullword
$s22 = "HostsMSG" wide fullword
$s23 = "Modified successfully!" wide fullword
$s24 = "HostsErr" wide fullword
$s25 = "DDos" wide fullword
$s26 = "plugin" wide fullword
$s27 = "sendPlugin" wide fullword
$s28 = "savePlugin" wide fullword
$s29 = "RemovePlugins" wide fullword
$s30 = "Plugins Removed!" wide fullword
$s31 = "OfflineGet" wide fullword
$s32 = "OfflineKeylogger Not Enabled" wide fullword
$s33 = "Plugin" wide fullword
$s34 = "Invoke" wide fullword
$s35 = "RunRecovery" wide fullword
$s36 = "Recovery" wide fullword
condition:
15 of ($s*)
} |