{
	"id": "caa985c2-cd92-447f-8453-37b91079772a",
	"created_at": "2026-04-06T01:31:17.328887Z",
	"updated_at": "2026-04-10T03:21:55.891069Z",
	"deleted_at": null,
	"sha1_hash": "0a02aff533ae22840dbaa1f89f7c807692b3c1e4",
	"title": "MalwareAnalysisReports/XWormShellcode/Packer Shellcode Delivering XWorm.md at main · VenzoV/MalwareAnalysisReports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 431447,
	"plain_text": "MalwareAnalysisReports/XWormShellcode/Packer Shellcode\r\nDelivering XWorm.md at main · VenzoV/MalwareAnalysisReports\r\nBy VenzoV\r\nArchived: 2026-04-06 01:17:11 UTC\r\nSample Information\r\nParent Hash:\r\nSHA256\r\n51109A3D4CFEE3DAB4465677957F991C0E5EAC17637BB6C989373118F81948A3\r\nShellcode:\r\nSHA256\r\n2FA571755AE79D22878273A487A326A4FA87FD77CF88AC98D4AE740FE38A1250\r\nFinal payload\r\nSHA256\r\nB1F73B1AC29A3FE85E8AF634DF42BE1EF7E293624EAF9F3267B6AC0BED8091CB\r\nSample is shellcode used by XWorm binary to load final stage payload. It originates from and AutoIT script which\r\nessentially is used to just run this intermediate stage.\r\nAnalysis\r\nResolving API\r\nSince we are dealing with shellcode, there isn't much information to go on. No exports no imports, so also looking\r\nat the code statically doesn't yield much information. The first step will be to understand which API the shellcode\r\nwill use and how are they resolved.\r\nFrom the main entry point of the code we can reach the function responsible. The API are resolved by fetching\r\nnecessary DLLs from the PEB and looping through export list to find the ones needed. Keep in mind that the API\r\nare hashed, so they will first go through a resolving function.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 1 of 10\n\nWalks the PEB modules until it reaches the target DLL it needs\r\nReturns a pointer to the base address of the DLL needed\r\nLoops 37 times, calling another function which is used to get the address of the API based on hash.\r\nThe hashes are resolvable by plugins such as HashDB, telling us they are crc32 values.\r\nSo once it gets the address of the API from the DLL it is saved into an array. In total it resolved functions from 5\r\nDLLS (NTDLL is actually used later)\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 2 of 10\n\nHelper Strucuture\r\nConsidering the API are saved an array, we will build a structure to hold the correct values. This will reflect on\r\nother code blocks and make our life easier. The API index needs to be taken into account and struct needs to be\r\nbuilt accordingly. We will order them based on the index inside the square brackets.\r\nStructure:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 3 of 10\n\nstruct _FUNC_TABLE\r\n{\r\nvoid* CreateProcessW;\r\nvoid* GetCursorPos;\r\nvoid* Sleep;\r\nvoid* GetTickCount;\r\nvoid* GetThreadContext;\r\nvoid* SetThreadContext;\r\nvoid* VirtualAlloc;\r\nvoid* PathCombineW;\r\nvoid* GetTempPathW;\r\nvoid* lstrcpyW;\r\nvoid* lstrcatW;\r\nvoid* CreateDirectoryW;\r\nvoid* WriteFile;\r\nvoid* SHGetFolderPathW;\r\nvoid* HeapAlloc;\r\nvoid* CommandLineToArgvW;\r\nvoid* GetProcessHeap;\r\nvoid* ExitThread;\r\nvoid* HeapFree;\r\nvoid* GetFileAttributesW;\r\nvoid* GetFileSizeEx;\r\nvoid* QueryPerformanceCounter;\r\nvoid* IsDebuggerPresent;\r\nvoid* GetCurrentThread;\r\nvoid* CreateThread;\r\nvoid* WaitForSingleObject;\r\nvoid* TerminateProcess;\r\nvoid* ExitProcess;\r\nvoid* ReadProcessMemory;\r\nvoid* GetModuleFileNameW;\r\nvoid* GetCommandLineW;\r\nvoid* GetProcAddress;\r\nvoid* CloseHandle;\r\nvoid* IsWow64Process;\r\nvoid* CreateFileW;\r\nvoid* ReadFile;\r\nvoid* GetFileSize;\r\nvoid* VirtualFree;\r\nvoid* LoadLibraryA;\r\nvoid* LoadLibraryW;\r\nvoid* CryptAcquireContextW;\r\nvoid* CryptGenRandom;\r\nvoid* CryptReleaseContext;\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 4 of 10\n\nvoid* GetModuleHandleW;\r\n};\r\nEntry point\r\nThis code block is the start of the shellcode. It initially runs the function described above to have a table of\r\naddresses that it will use to call the API. If the structure we made is applied correctly, this will clean the code and\r\nit is easy to see what is going on.\r\nBefore:\r\nAfter:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 5 of 10\n\nThis part of the code will essentially do the following:\r\nSets key in var L12L3V8NVXKURK7Y9XADR58\r\nOpens the file in the TMP path, disimmure.\r\nAllocate memory based on size of contents\r\nCopy the contents of the file to memory section\r\nPass the memory section, size, key and modulus operand to decryption function.\r\nThe decryption routine is nothing special and is just basically a simple XOR (see Functions below)\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 6 of 10\n\nThe result is that there is now a decryption payload in memory.\r\nInjection\r\nThe final phase is to inject the payload. It chooses between three possible processes:\r\nC:\\Windows\\System32\\svchost.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\r\nOnce a target has been picked, it will proceed to create the process and manipulate the memory to inject the\r\nmalicious payload. This injection is done using syscalls. The API involved in injecting and running the payload\r\nare:\r\nNtCreateSection\r\nNtMapViewOfSection\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 7 of 10\n\nNtWriteVirtualMemory\r\nNtResumeThread\r\nSyscalls hook check\r\nThe malware also checks for hooks on the Nt functions. It checks for jmp operands and skips them if found. 0xe9\r\n\u0026 0xea are the JMP \u0026 JMP FAR opcodes.\r\nOnce checked it will enter the syscall:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 8 of 10\n\nFunctions\r\nmw_w_PEBWalking()\r\nmw_ResolveHashExports\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 9 of 10\n\nmw_XorDecrypt\r\nSource: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.m\r\nd\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/VenzoV/MalwareAnalysisReports/blob/main/XWormShellcode/Packer%20Shellcode%20Delivering%20XWorm.md"
	],
	"report_names": [
		"Packer%20Shellcode%20Delivering%20XWorm.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775439077,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a02aff533ae22840dbaa1f89f7c807692b3c1e4.pdf",
		"text": "https://archive.orkl.eu/0a02aff533ae22840dbaa1f89f7c807692b3c1e4.txt",
		"img": "https://archive.orkl.eu/0a02aff533ae22840dbaa1f89f7c807692b3c1e4.jpg"
	}
}