Overview

overview

10

Static

static

5

b9e12bc76b...18.exe

windows7-x64

10

b9e12bc76b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    b9e12bc76b7927f9f9a633db2b8b5b40

  • SHA1

    7d2f96d9f8bd7bc3dc070512113addf136e9c6cc

  • SHA256

    3729adfd4d5e70a7e7cfffd62697ef6954485986e5c13fa48a71885e425ed75d

  • SHA512

    1581ad5d02b9b2602cecc1c4ed32f0d4a0e37175a64940c7bfa38dcd71cfcdf18c4dac7fbcf5082f54f4e46115d4170d0e777441bf0e8ebe00167eae49abebe7

  • SSDEEP

    24576:dAHnh+eWsN3skA4RV1Hom2KXMmHaBSvsolOeKYjcNApi5:8h+ZkldoPK8YaB9oVTcNP

Score
10/10
phobosdiscoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2832
      • C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\b9e12bc76b7927f9f9a633db2b8b5b40_JaffaCakes118.exe"
          4⤵
            PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7-zip32.dll
      Filesize

      65KB

      MD5

      e5f729728ef63949ee08cdb344e199a0

      SHA1

      39869fb44914a7aa172a48342d39dbdfbda4d65c

      SHA256

      ce89fdff60df750b5f78ae42df37b822cd79add907d2c2e604fd906bb5f85bd2

      SHA512

      5fe6ac63731b9ad38f2b23c3e9ec7a89f8624a24056cb251ce7e08d18687cdd23f17818892b4e1234121001689da2864a61fb239b1e40d0252554c3048f0d9a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
      Filesize

      24B

      MD5

      1681ffc6e046c7af98c9e6c232a3fe0a

      SHA1

      d3399b7262fb56cb9ed053d68db9291c410839c4

      SHA256

      9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

      SHA512

      11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

      Download Submit

    • memory/2832-31-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-34-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-21-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-25-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-27-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-29-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-2-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-9-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-32-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-42-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-47-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-53-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2832-70-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3912-0-0x0000000003E00000-0x0000000003E0E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3912-1-0x0000000003E10000-0x0000000003E11000-memory.dmp

      Filesize

      4KB

      Download