DropperXSW.A: Registry only malware

April 23, 2015

The Dell SonicWALL Research team received an interesting malware. After the initial install the malware has no disk presence and uses an unique method to stay resident on the system using only registry keys. Along with its ability to hide the malicious registry keys, this malware is highly resistant towards antivirus detection.

On execution the malware unpacks itself in memory, creates a registry key and copies its binary image onto the value of the key.

The malware then copies its image into another process address space and executes from there, this technique is called Process hallowing or Dynamic Forking. In order to this, it starts svchost.exe in suspended mode:

After this it directly calls SYSENTER with the appropriate system call number to avoid monitoring by security software. The sequence followed to achieve Process Hallowing.

  • 0x32 - NtCreateSection
  • 0x6C - NtMapViewofSection
  • 0x10B - NtUnmapViewof Section
  • 0x19 - NtReleaseKeyedEvent
  • 0x55 - NtGetContextThread
  • 0xD5 - NtSetContextThread
  • 0xCE - NtResumeProcess
  • 0x101 - NtTerminateProcess

Now running in the process space of svchost.exe, it deletes the original installer. It sets inline hooks on the below mentioned API's in order to conceal its presence on the machine

  • NtEnumerateKey
  • NtQuerySystemInformation
  • NtEnumerateValueKey
  • RtlPctoFileHeader

AutoStart registry key created by the malware to stay resident:

    Run Entry: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

This key contains a script to read another registry key created by the malware using the following code: ('WScript.Shell').RegRead('HKCU\Software\ xsw\loader'))


    Contains two value keys:

      BinaryImage32 : Contains the malware file
      Loader : Contains 3 Components

      • Base64 encoded clean copy of the files mshta.exe and dynwrapx.dll
      • Base64 encoded manifest's for both the files
      • Shell code which is responsible for reading the contents of BinaryImage32, invoking svchost.exe in suspended mode and copying the bytes into its memory and run it from there (Process Hallowing).

The malware also adds itself in the compatible applications list of Terminal Server:

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionTerminalServerCompatibilityApplicationsRUNDLL32 Flags 408
  • It makes DNS queries for :

    • terracematch.org
    • versatilegreenwood.net

    Conects to the site:


    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • DropperXSW.A (Trojan)