Overview

overview

10

Static

static

3

2dd02ccf7a...18.exe

windows7-x64

10

2dd02ccf7a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    2dd02ccf7a6df802b1324389ea4906e5

  • SHA1

    3a0c5200f2141fabde18ee56b5a86b23fd5399a9

  • SHA256

    d29deb9d361f4cae9aed1fd87448ed683cc3418defa20bc84946581bb02ef309

  • SHA512

    295b56536cf8aef5d1025c79886d17b1bdbb4211acb26acaa919921f68ee5ab4abfe228ba97f98186df09f02083c41ea306b56b06f4e85d292627962ec254a26

  • SSDEEP

    6144:g4KsCYthSgTwEXat/el4l00CTR4HjvmwOM1:g4tCYHqEXY/e3VQx1

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://193.32.161.73/

http://gosurrhrguhr.cc/

http://goheufuhufdr.cc/

http://olruheuuruur.cc/

http://buaeabguguur.cc/

http://ebgiaueghuur.cc/

http://bfbaiefiheir.cc/

http://eeeieiieirdr.cc/

http://abfeiagihisr.cc/

http://nkoaefuhfuhr.cc/

http://ezaziiezfzgr.cc/

http://egaueuefuhgr.cc/

http://aoufauhuefur.cc/

http://aieiiieitter.cc/

http://miokpkaeofkr.cc/

http://rzauerzueutr.cc/

http://gosurrhrguho.co/

http://goheufuhufdo.co/

http://olruheuuruuo.co/

http://buaeabguguuo.co/
Wallets

1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh

qzgdgnfd805z83wpu04rhld0yqs4dlrd35ll0ltqql

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0xa5228127395263575a4b4f532e4f132b14599d24

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Phorphiex payload 3 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\217602435\sysidnu.exe
      C:\Windows\217602435\sysidnu.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\217602435\sysidnu.exe
    Filesize

    320KB

    MD5

    2dd02ccf7a6df802b1324389ea4906e5

    SHA1

    3a0c5200f2141fabde18ee56b5a86b23fd5399a9

    SHA256

    d29deb9d361f4cae9aed1fd87448ed683cc3418defa20bc84946581bb02ef309

    SHA512

    295b56536cf8aef5d1025c79886d17b1bdbb4211acb26acaa919921f68ee5ab4abfe228ba97f98186df09f02083c41ea306b56b06f4e85d292627962ec254a26

    Download Submit
  • memory/1760-0-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1760-1-0x0000000000430000-0x0000000000437000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1760-2-0x0000000002210000-0x000000000221B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1760-10-0x0000000000430000-0x0000000000437000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3840-8-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/3840-11-0x00000000005B0000-0x00000000005BB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3840-12-0x00000000005B0000-0x00000000005BB000-memory.dmp
    Filesize

    44KB

    Download