Home Malware Analysis of Xworm
Post
Cancel

Malware Analysis of Xworm

Sachin on Mar 312024-03-31T14:10:00+08:00
Updated Apr 12024-04-01T02:33:44+08:00 4 min read

Xworm

cover-1

Xworm represents a form of malware, targeting Windows systems. Upon infection, it can compromise the security of the system, potentially leading to data theft or unauthorized remote access. This type of malware poses significant risks to computer systems and underscores the importance of robust cybersecurity measures to prevent and mitigate such threats.

Sample Collection

image

Stage1

Extracted the sample from Malwarebazar with the password “infected”. The sample has an extension of .vbs, so dont run it, instead open with notepad++.

notepad

Its a straightforward obfuscation. The function Tightness which takes the decimal value and return ASCII, which is (101) for letter ‘e’, and after deobfuscation and building the final URL, we can see proper clean code.

note

The code is trying to download and execute the content of the resource at the URL.

So lets curl the URL and get the file content downloaded… and it says 404 as of now the resource is not available at the URL image

So we have a problem here, while I am analysing the sample the content or the payload which needs to get downloaded during the execution of the above vbs script is no more available in the pastebin…. so how are we going to analyse it….!!!!

After searching a lot on the internet, I was not getting the same file from any sandbox or any Malware sample stores, So while I discussed the situation with my friend “Binary Panda” who does similar stunts with malware, so we both where trying to find the sample in different sandboxes. Meanwhile, in one of the popular sandbox we saw there is a way to download pcap files for the sample which it has analyzed. That triggered a good idea!! Why can’t we recreate the sample back from the pcap file!!!!

image Building the sample from the response header.

image (2)

Yess!!! and that did solve our problem.

We recreated the sample from the dead just from the pcap file.

Here begins our stage2

Stage2

Opened the file in notepad++ again to see the contents of the file. In this file, we can see a powershell command which is going to get executed when we open the file. image (1)

Below is the rest of the powershell script which is going to get executed. The script is executed with the Wscipt.exe process

image

The above code is obfuscated, so after reading the last of the command 'DgTre' is replaced with the letter 'A'. So cleaned the code accordingly. The rest of the part is a base64 encoded string. So decoded with CyberChef.

cyberchef

After decoding that we get a powershell script which needs some rearrangement.

vscode

Here is the clean powershell script. So the what the script does is it retrieve data from a series of URLs.

Stage3

It scans the downloaded content for a segment delineated by <<BASE64_START>> and <<BASE64_END>> markers, presuming this portion to be base64-encoded.

So here we have two URLs that need to be downloaded for further analysis.

But the file content is no longer available in the location!!

planet The same thing happened here too the file is not present in the location, so we recreated it with PCAP file which we downloaded before.

After building the jpeg file, open it in a HxD

hxd

Seems like we need some cleaning to bring a real jpg file.

steagno Nice isn’t it… Will Keep it as a Desktop Background xD

Now as per the powershell script, there are Flags <<BASE64_START>> and <<BASE64_END>> which we need to find from the file. So seems like a sense of steganography technique is implemented here.. Let’s find it in HxD

image image

Scrolling through the HxD we saw <<BASE64_START>> and <<BASE64_END>> flags.

So let’s decode the base64 string in Cyberchef

image

While decoding we were able to see the magic bytes of an EXE file. So we save the output from Cyberchef. Since it is an exe file, open it in DIE (Detect it Easy)

image

The file seems to be written in .NET Let open it in dnSpy

image

Persistence Technique

After searching through the .NET code, a method of ensuring persistence can be seen. This involves the program inserting itself into a registry key, enabling it to launch automatically upon each system startup. This persistence tactic helps the malware to maintain a foothold within the compromised system.

image (5)

image (4)

IOCs:

1
2
3
4
5
6
7
8
9
10
11

hxxps://uploaddeimagens[.]com[.]br/images/004/739/227/original/new_image.jpg?1707826222
hxxp://45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg
hxxps://wayoutkwt[.]com/bk/fexrw[.]txt
hxxps://pastebin[.]com/raw/G9zY5tnh
febxworm39090[.]duckdns[.]org
45[.]74[.]19[.]84
85673635.vbs — 032c2cc1862303d06832c0ebe34b9dae
PROJETOAUTOMACAO.VB1.dll — ce91eb459e4f6a9e2871088d855cd211
febxworm39090.exe — 1a2b23fd06525561826e61fc104b66d0
vbs_novo_new_image.jpg — ddb09774c5a870c73cf0cf71e6d97d3e
output.273230999.txt — 983865b130c91b9b3a36d488afbdd1bd

Reference

  • https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb
  • https://www.joesandbox.com/analysis/1395432/0/html
  • https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm
Malware, Threat
Malware Analysis .Net Powershell
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

DUCTF 2021

-