phorphiex | 31fee21f74a3be7ddc0947ff40c941a68545a7f183e56c52b4830c0dbb815a89

Windows Service

T1543.003

Disable or Modify Tools

Processes:

taskhostw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	taskhostw.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\17080295423073\taskhostw.exe	family_phorphiex

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

taskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	taskhostw.exe

Executes dropped EXE 1 IoCs

Processes:

taskhostw.exe

pid process

2708 taskhostw.exe
Loads dropped DLL 4 IoCs

Processes:

22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exeWerFault.exe

pid process

1924 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
2268 WerFault.exe
2268 WerFault.exe
2268 WerFault.exe

pid	process
2708	taskhostw.exe

pid	process
1924	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

taskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskhostw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\17080295423073\\taskhostw.exe"	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\17080295423073\\taskhostw.exe"	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

Processes:

taskhostw.exe

description ioc process

File opened for modification C:\Program Files\7-Zip\7z.exe taskhostw.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2268 2708 WerFault.exe taskhostw.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	taskhostw.exe

pid	pid_target	process	target process
2268	2708	WerFault.exe	taskhostw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exetaskhostw.exe

description	pid	process	target process
PID 1924 wrote to memory of 2708	1924	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe	taskhostw.exe
PID 1924 wrote to memory of 2708	1924	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe	taskhostw.exe
PID 1924 wrote to memory of 2708	1924	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe	taskhostw.exe
PID 1924 wrote to memory of 2708	1924	22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe	taskhostw.exe
PID 2708 wrote to memory of 2268	2708	taskhostw.exe	WerFault.exe
PID 2708 wrote to memory of 2268	2708	taskhostw.exe	WerFault.exe
PID 2708 wrote to memory of 2268	2708	taskhostw.exe	WerFault.exe
PID 2708 wrote to memory of 2268	2708	taskhostw.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924

C:\17080295423073\taskhostw.exe
C:\17080295423073\taskhostw.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1808
3⤵
- Loads dropped DLL
- Program crash
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

4

Impair Defenses

3

T1562

Disable or Modify Tools

3