{
	"id": "b978d322-f3a1-4951-93a1-9a2a5f309a20",
	"created_at": "2026-04-06T00:15:02.702477Z",
	"updated_at": "2026-04-10T03:20:23.316166Z",
	"deleted_at": null,
	"sha1_hash": "efef79e25b72e05f0028014b99c3f884b58976ed",
	"title": "Old Malware Tricks To Bypass Detection in the Age of Big Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107743,
	"plain_text": "Old Malware Tricks To Bypass Detection in the Age of Big Data\r\nBy Suguru Ishimaru\r\nPublished: 2017-04-13 · Archived: 2026-04-05 15:09:26 UTC\r\nKaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This\r\nattacker has been using the XXMM malware toolkit, which was named after an original project path revealed\r\nthrough a pdb string inside the file: “C:\\Users\\123\\documents\\visual studio\r\n2010\\Projects\\xxmm2\\Release\\test2.pdb”. We came across an unusual technique used by a sample which\r\ncontained no pdb strings but was very similar to a variant of XXMM malware in terms of code similarity, malware\r\nfunctionality, crypto-algorithm, data structures and module configuration.\r\nThe malware sample we observed was named “srvhost.exe” to resemble a standard system process name. It came\r\nfrom one of our partners at the beginning of 2017. One of the most surprising features of the malware was its file\r\nsize, which is not commonly seen in malware – it was over 100MB. According to our analysis, this malware is a\r\nTrojan loader component that activates a backdoor. We could not confirm pdb strings from this malware, however\r\nthe backdoor module seems to be named “wali” by the author, according to strings from the embedded config\r\nblock.\r\nFig. config strings with “[wali]” section\r\nFig. “wali.exe” name in the malware body\r\nThe wali loader decrypts the embedded wali backdoor using the “\\x63” byte and a simple XOR operation. The\r\nXOR key is not only “\\x63”, we confirmed others. Then, the wali backdoor module is injected into the memory of\r\nthe iexplore.exe process by the loader.\r\nWhat is inside the wali loader that makes it so big in size? The reason is that this sample has a very big overlay of\r\njunk data. We found more than 20 other similar samples (wali loader + overlay) using open source intelligence and\r\nby searching our malware collection using YARA rule. After removing the overlay, there were only six unique\r\nsamples.\r\nhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nPage 1 of 6\n\nmd5_payload md5_payload+overlay size\r\nd1e24c3cc0322b22988a1ce366d702e5 8bd0ddeb11518f3eaaddc6fd82627f33 105982049\r\ne4811950899f44f9d14a786b4c5b1faa\r\n2871ec229804a6e872db55dafa5c9713 105997178\r\n3e24710d7ade27316d367dd8cb2a0b1a 105996860\r\n3e9feea893482b65a68b1feecb71cd4d 105997043\r\n558ca7fa8ed632fa4f8c69e32888af0f 105997191\r\nd11f7b25823ce474e30e8ab9c8d567b0 105996847\r\nf4c3f06faf53ad2bbc047818344a2323 105997181\r\nf7cc6a5a06cd032c6172d14c1568b976 105997102\r\ne7492f11c88d32e1e0b43f6b29604ec8\r\n6a5558e4ab530f9b5c2d5bcc023d3218 105997658\r\nbb8cef31cf6211c584d245be88573e1f 105997755\r\nTable. Some samples of 100M+ bytes wali loader + overlay\r\nThe overlay data is generated by the wali dropper when the wali loader is installed onto the victim’s machine. The\r\nfollowing figure shows the structure of malware components and how they are related to each other:\r\nFig. Structure of wali modules\r\nWali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the\r\nwali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102.\r\nTo extract the resource data it uses RC4 with “12345” as the cryptokey, and LZNT1 to decompress the data after\r\nthat. Dropper1 creates a file named “win${random4 chr}.tmp.bat” in the current temp directory from the\r\ndecrypted wali dropper2 data. Finally, it appends generated garbage data to the overlay of the dropped file and\r\nruns wali dropper2\r\nhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nPage 2 of 6\n\nWali dropper2 checks if the user account has admin privileges, and decrypts the wali loader using the same\r\nalgorithm and the same key as of dropper1, and creating new files using the following file paths:\r\n%ProgramFiles%\\Common Files\\System\\Ole DB\\srvhost.exe\r\n%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\srvhost.exe\r\nIt also appends generated garbage data to the overlay as well, using the same function. Finally, it creates a\r\nregistry value of “sunUpdate” in \r\n“HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” to ensure malware persistence.\r\nGeneration of Junk Data\r\nThe feature to appending junk data to the malware executable to inflate the file size is quite unique to wali\r\ndropper1 and wali dropper2. We assume that by creating a large file the authors wanted to avoid AV detection,\r\ncomplicate sample exchange and stay below the radar of the most commonly used YARA rules. The function that\r\ngenerates the junk data is shown below:\r\nFig. Function to create junk data\r\n(create_garbage_data).\r\nThe create_garbage_data function generates a random byte in a loop with 1,000 iterations. In every iteration it fills\r\nblocks of data of random length within certain dynamically calculated limits. After that the result of\r\ncreate_garbage_data is written to the overlay of the decrypted wali loader and the process is repeated 100 times.\r\nThis produces junk data of ~100MB which is appended to the executable.\r\nhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nPage 3 of 6\n\nFig. Loop to append the junk data to overlay.\r\nThe size of one wali loader (MD5: d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,352 bytes. The\r\nfunction that appends garbage produced a new malware file in a real attack (MD5:\r\n8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.\r\nAs the appended junk data is created dynamically and depends on random values, the size of it may vary. We have\r\nseen 100MB files as well as 50MB samples used in real world attacks. The largest we observed was a 200MB\r\nmalware sample created with the same trick. This technique currently doesn’t affect detection of the malware by\r\nKaspersky Lab products. The malware is detected as:\r\nTrojan.Win32.Xxmm\r\nTrojan.Win64.Xxmm\r\nTrojan-Downloader.Win32.Xxmm\r\nTrojan-Downloader.Win64.Xxmm\r\nTrojan-Dropper.Win32.Xxmm\r\nTrojan-Dropper.Win64.Xxmm\r\nInflating file size with garbage data is not a completely new technique. Previously polymorphic viruses and\r\nworms used this technique a lot to mix original code with garbage data spread across the malware file, sometime\r\nincreasing the file size by hundreds of kilobytes and even megabytes. Certain software protectors may also insert\r\ndecoy files into packed files and inflate file size up to 1MB. We have also seen executable malwares disguised as\r\nmovie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes\r\nin order to mimic true content .\r\nWhat is quite unique in using this method and appending junk data to a file is that in this case this technique is\r\nused in targeted attacks and is happening after the initial infection, during the later phases of attack with the\r\nintention of increasing file size to avoid detection.\r\nWhile this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain\r\ncases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to\r\nscan harddrives. The reason is that one of the common practices for YARA rule authors is to limit the size of\r\nscanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones\r\nproduced by XXMM malware, may become invisible for such rules, which is why we would like to recommend\r\nsecurity researchers to consider this when creating rules for dropped malwares.\r\nhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nPage 4 of 6\n\nIndicators of Compromise\r\nSHA256sum of samples\r\nWali dropper1:\r\n9b5874a19bf112832d8e7fd1a57a2dda180ed50aa4f61126aa1b7b692e6a6665\r\nWali dropper2:\r\nda05667cd1d55fa166ae7bd95335bd080fba7b53c62b0fff248ce25c59ede54a\r\n10fca84ae22351356ead529944f85ef5d68de38024d4c5f6058468eb399cbc30\r\nWali loader + overlay:\r\n1f73d3a566ab7274b3248659144f1d092c8a5fc281f69aa71b7e459b72eb6db2\r\n24835916af9b1f77ad52ab62220314feea91d976fdacad6c942468e20c0d9ca1\r\n303c9fabf6cff78414cebee9873040aeb9dcf6d69962bd9e0bbe1a656376ed16\r\n3ffd5d3579bddbfd7136a6969c03673284b1c862129cfafe7a40beea1f56e790\r\n803a5a920684a5ab1013cb73bf8581045820f9fc8130407b8f81475d91ff7704\r\nd2126d012de7c958b1969b875876ac84871271e8466136ffd14245e0442b6fac\r\nd7b661754cae77aa3e77c270974a3fd6bda7548d97609ac174a9ca38ee802596\r\ndc5e8c6488f7d6f4dcfac64f8f0755eb8582df506730a1ced03b7308587cdc41\r\nf4a07e6dcb49cb1d819c63f17a8250f6260a944e6e9a59e822e6118fb1213031\r\nffd45bde777b112206b698947d9d9635e626d0245eb4cfc1a9365edc36614cbe\r\nWali loader:\r\na24759369d794f1e2414749c5c11ca9099a094637b6d0b7dbde557b2357c9fcd\r\nb55b40c537ca859590433cbe62ade84276f3f90a037d408d5ec54e8a63c4ab31\r\nc48a2077e7d0b447abddebe5e9f7ae9f715d190603f6c35683fff31972cf04a8\r\n725dedcd1653f0d11f502fe8fdf93d712682f77b2a0abe1962928c5333e58cae\r\ncfcbe396dc19cb9477d840e8ad4de511ddadda267e039648693e7173b20286b1\r\nC2 (compromised web sites) of wali:\r\nhXXp://******essel[.]com/mt/php/tmpl/missing.php\r\nhXXp://******essel[.]com/mt/mt-static/images/comment/s.php\r\nhXXp://******hi[.]com/da******/hinshu/ki******/ki******.php\r\nhXXp://******an[.]jp/_module/menu/menug/index.php\r\nhXXp://******etop.co[.]jp/includes/firebug/index.php\r\nhXXp://******etop.co[.]jp/phpmyadmin/themes/pmahomme/sprites.html\r\nhXXp://******usai[.]com/ex-engine/modules/comment/queries/deleteComment.php\r\nhXXp://******1cs[.]net/zy/images/patterns/preview/deleteComments.php\r\nhXXp://******1cs[.]net/zy/images/colorpicker/s.php\r\nFilename (over 50MB size):\r\nhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nPage 5 of 6\n\nsrvhost.exe\r\npropsyse.exe\r\nperfcore.exe\r\noldb32.exe\r\noledb32.exe\r\njavaup.exe\r\nSource: https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nhttps://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/"
	],
	"report_names": [
		"78010"
	],
	"threat_actors": [],
	"ts_created_at": 1775434502,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efef79e25b72e05f0028014b99c3f884b58976ed.pdf",
		"text": "https://archive.orkl.eu/efef79e25b72e05f0028014b99c3f884b58976ed.txt",
		"img": "https://archive.orkl.eu/efef79e25b72e05f0028014b99c3f884b58976ed.jpg"
	}
}