ioc[.]one - OSINT Cyber Threat Intelligence Database

ShadowWali: New variant of the xxmm family of backdoors

Tags

cmtmf-attack-pattern:	Process Injection
country:	Japan
attack-pattern:	Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Windows Service - T1543.003 Tool - T1588.002 Credential Dumping - T1003 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Rootkit - T1014 Rootkit

Show in Graph

Common Information

Type	Value
UUID	dcb232c8-2282-4a63-a090-d9ed67fe4005
Fingerprint	2f9d191505b52455
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 25, 2017, midnight
Added to db	Sept. 26, 2022, 9:31 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	ShadowWali: New variant of the xxmm family of backdoors
Title	ShadowWali: New variant of the xxmm family of backdoors
Detected Hints/Tags/Attributes	83/3/50

Source URLs

	Redirection	Url
Details	Source	https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors

URL Provider

Details	Provider	Source level domain
Details	cybereason.com	www.cybereason.com

Attributes

Details	Type	#Events	Value
Details	Domain	6	setupapi.dev
Details	Domain	13	co.jp
Details	File	478	lsass.exe
Details	File	1260	explorer.exe
Details	File	263	iexplore.exe
Details	File	7	srvhost.exe
Details	File	1	sep9808.tmp
Details	File	6	dev.log
Details	File	1	scommand.txt
Details	File	1	rr2e9e.tmp
Details	File	58	test.exe
Details	File	9	smsvchost.exe
Details	File	1	c:\program files\common files\system\reginie.exe
Details	File	6	css.php
Details	File	8	upgrade.php
Details	File	3	xxmm2_build.exe
Details	File	2	oledb32.exe
Details	File	1	ravrtlupd.exe
Details	File	1	spmapi.exe
Details	sha1	1	3603163413a8e4e03758c9fb7673e1866ff29cb5
Details	sha1	1	2ce05cd6af79b10f9ee8cbebae8d439ff0f30f60
Details	sha1	1	1c822cb9b4afa82099b8ef2b909204d9d8f4626d
Details	sha1	1	52921e7b488ee1a48ca098247a07d17ce610c235
Details	sha1	1	133c7b74e35d9dcc3bd43764cb18e59c1b74190f
Details	sha1	1	8123534dde8ac4af983db302a06427aab00edd55
Details	sha1	1	bc725b8ff4446a72539f5c5b0532cc0264a51d9c
Details	sha1	1	7ddedadb81ee7a00f07f40686f078a7974e0c2d1
Details	sha1	1	e5f5d64bf49b10dd4591907f34357be6cecf55b7
Details	sha1	1	381a99c6abe218863f352a76941c9d3a4369740a
Details	sha1	1	878b77556ec3c3572d09f84cc2d8f60cd92f7d00
Details	sha1	1	d044b40d4121689a1aed655da243d2917b866b6f
Details	sha1	1	a0f8cfddb34cf44a5588903af73f5152af84c47e
Details	sha1	1	4f5748fce8643b95dc15511816cd8045d0a470cc
Details	sha1	1	2cde37f62202e4a0b3e6b600293563716e099413
Details	sha1	1	2e340ad74fb71d86787d2801055029c8c0e0df5b
Details	sha1	1	9cc5ba99b05a0b26f04ee5f6a3ec4088b06c6b17
Details	sha1	1	802722295013d866855bded0853d6aabc3a93a6f
Details	sha1	1	29bcc33d2b5b6ea192d1b87ab480f10d83406387
Details	sha1	1	c4e0035e6bb3c4a42dd593cb578d9563a2e4d0c7
Details	sha1	1	13f00e24157af0f23558f400facbb015606c4e38
Details	sha1	1	3a5975be9b3e9b1909d0f8efb6add0ffe84adb76
Details	sha1	1	168524e2292e376b2036c41e691a434bac3a89e1
Details	sha1	1	367c85179a30b20db2163cdb0cea6d17dd164c4a
Details	Pdb	3	c:\users\123\documents\visual studio 2010\projects\xxmm2\release\test2.pdb
Details	Pdb	1	c:\users\123\documents\visual studio 2010\projects\xxmm2\x64\release\bypassuacdll.pdb
Details	Pdb	1	c:\users\123\documents\visual studio 2010\projects\xxmm2\release\loadsetup.pdb
Details	Pdb	2	c:\users\123\desktop\xxmm3\x64\release\reflectivloader.pdb
Details	Pdb	1	c:\users\123\documents\visual studio 2010\projects\shadowwalker\x64\release\bypassuacdll.pdb
Details	Windows Registry Key	3	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\swprv7