phoenix | 195c8edd53b0bead92afcf59d84011f774471c10f1456242296eac55a40fca76

General

Target

1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
Size

1.1MB
MD5

1368c5c6d641570b1402adca6e7be846
SHA1

86f2be85cd5539765cb2929b9b17fc6f81a90673
SHA256

195c8edd53b0bead92afcf59d84011f774471c10f1456242296eac55a40fca76
SHA512

bc711238fb49850a863afa5727aad8325b61bd398d03e15e03083de0c7198d892957e12405c363eae30df43c0d2513f93be512d24fb685a4262177afdb96a084
SSDEEP

24576:6u6Jx3O0c+JY5UZ+XC0kGso/WaKF8lInYSHgWY:MI0c++OCvkGsUWaKBY

Score

10^/10

phoenix collection keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
bhavnatutor.com
Port:
587
Username:
[email protected]
Password:
Onyeoba111

Signatures

Phoenix Keylogger
Phoenix is a keylogger and info stealer first seen in July 2019.
stealer keylogger phoenix

Phoenix Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2524-7-0x0000000005930000-0x0000000005968000-memory.dmp	family_phoenix

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ifconfig.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

description pid process target process

PID 1832 set thread context of 2524 1832 1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

2524 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2524 MSBuild.exe

flow	ioc
7	ifconfig.me

description	pid	process	target process
PID 1832 set thread context of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	MSBuild.exe

pid	process
2524	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2524	MSBuild.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

pid	process
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

pid	process
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

description	pid	process	target process
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	MSBuild.exe
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	MSBuild.exe
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	MSBuild.exe
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	MSBuild.exe
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x00000000017E0000-0x00000000017FF000-memory.dmp

Filesize
124KB

Download
memory/1832-1-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/2524-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-6-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/2524-7-0x0000000005930000-0x0000000005968000-memory.dmp

Filesize
224KB

Download
memory/2524-8-0x0000000006240000-0x00000000067E4000-memory.dmp

Filesize
5.6MB

Download
memory/2524-9-0x0000000005D70000-0x0000000005E0C000-memory.dmp

Filesize
624KB

Download
memory/2524-10-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/2524-11-0x00000000067F0000-0x0000000006856000-memory.dmp

Filesize
408KB

Download
memory/2524-12-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/2524-13-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/2524-14-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/2524-15-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads