General

  • Target

    NEAS.fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623dexe_JC.exe

  • Size

    285KB

  • Sample

    231019-zjkj2sbf4w

  • MD5

    4db1b428d0e115a810836f937d786f38

  • SHA1

    35e8722f5bf1997d6022fa512f60458470a8999e

  • SHA256

    fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623d

  • SHA512

    091491e4cb375eceadcff843cef080815b1f802e0182d260d750f7afc8197eb09461ed9b119b04eff0839c627d2630bfb1e9409de0da12086e2d15bb12565109

  • SSDEEP

    6144:mlVD0j3qci00ei4m4d3hJkuRi7g9BOu6xb4YnDy:X2cibT4d3hJLUWwu6F4YW

Malware Config

Targets

    • Target

      NEAS.fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623dexe_JC.exe

    • Size

      285KB

    • MD5

      4db1b428d0e115a810836f937d786f38

    • SHA1

      35e8722f5bf1997d6022fa512f60458470a8999e

    • SHA256

      fd59543a425d2159dfadba8efd4d40178b609ef123a8bc5cf00fe3afef95623d

    • SHA512

      091491e4cb375eceadcff843cef080815b1f802e0182d260d750f7afc8197eb09461ed9b119b04eff0839c627d2630bfb1e9409de0da12086e2d15bb12565109

    • SSDEEP

      6144:mlVD0j3qci00ei4m4d3hJkuRi7g9BOu6xb4YnDy:X2cibT4d3hJLUWwu6F4YW

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (204) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Windows Firewall

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks