phorphiex | 9875c102bbe89ad636096efca6b04d6b843529eb9717d822f7b0b42a087c7332

General

Target

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
Size

558KB
MD5

bb08689787fcb4bc029679acd1708177
SHA1

1196862efcda000b348ace3189191e36e700791b
SHA256

9875c102bbe89ad636096efca6b04d6b843529eb9717d822f7b0b42a087c7332
SHA512

15b5e7654ac67727b4d4942a21559858e056c6789685f7401ab19f0b8a043278ed5a0c13940f0903bebbc8c8d5afa86acd7cad72721c36a7a801bd19f142c46c
SSDEEP

12288:81M6LVFTIp5uFCGTlbmb6UXitm9eGFNK2g9:81DTIpqrY6yixGFvw

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/vnc/

http://urusurofhsorhfuuhm.su/vnc/

http://aeifaeifhutuhuhusm.su/vnc/

http://rzhsudhugugfugugsm.su/vnc/

http://bfagzzezgaegzgfaim.su/vnc/

http://eaeuafhuaegfugeudm.su/vnc/

http://aeufuaehfiuehfuhfm.su/vnc/

http://daedagheauehfuuhfm.su/vnc/

http://aeoughaoheguaoehdm.su/vnc/

http://eguaheoghouughahsm.su/vnc/

http://huaeokaefoaeguaehm.su/vnc/

http://afaeigaifgsgrhhafm.su/vnc/

http://afaigaeigieufuifim.su/vnc/

http://geauhouefheuutiiim.su/vnc/

http://gaoheeuofhefefhutm.su/vnc/

http://gaouehaehfoaeajrsm.su/vnc/

http://gaohrhurhuhruhfsdm.su/vnc/

http://gaghpaheiafhjefijm.su/vnc/

http://gaoehuoaoefhuhfugm.su/vnc/

http://aegohaohuoruitiiem.su/vnc/

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

sysegmi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysegmi.exe

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysegmi.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysegmi.exe

Executes dropped EXE 1 IoCs

Processes:

sysegmi.exe

pid process

2600 sysegmi.exe
Loads dropped DLL 2 IoCs

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

pid process

2128 bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128 bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

pid	process
2600	sysegmi.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysegmi.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysegmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysegmi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\587211341\\sysegmi.exe"	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\587211341\\sysegmi.exe"	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\587211341\sysegmi.exe	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
File opened for modification	C:\Windows\587211341\sysegmi.exe	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
File opened for modification	C:\Windows\587211341	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exesysegmi.exe

pid	process
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe
2600	sysegmi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exesysegmi.exe

description pid process

Token: SeDebugPrivilege 2128 bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
Token: SeDebugPrivilege 2600 sysegmi.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exesysegmi.exe

pid process

2128 bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
2600 sysegmi.exe

description	pid	process
Token: SeDebugPrivilege	2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
Token: SeDebugPrivilege	2600	sysegmi.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe

description	pid	process	target process
PID 2128 wrote to memory of 2600	2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe	sysegmi.exe
PID 2128 wrote to memory of 2600	2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe	sysegmi.exe
PID 2128 wrote to memory of 2600	2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe	sysegmi.exe
PID 2128 wrote to memory of 2600	2128	bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe	sysegmi.exe

C:\Users\Admin\AppData\Local\Temp\bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb08689787fcb4bc029679acd1708177_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\587211341\sysegmi.exe
C:\Windows\587211341\sysegmi.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\587211341\sysegmi.exe
Filesize
558KB

MD5
bb08689787fcb4bc029679acd1708177

SHA1
1196862efcda000b348ace3189191e36e700791b

SHA256
9875c102bbe89ad636096efca6b04d6b843529eb9717d822f7b0b42a087c7332

SHA512
15b5e7654ac67727b4d4942a21559858e056c6789685f7401ab19f0b8a043278ed5a0c13940f0903bebbc8c8d5afa86acd7cad72721c36a7a801bd19f142c46c

Download Submit
memory/2128-1-0x0000000000462000-0x000000000046B000-memory.dmp

Filesize
36KB

Download
memory/2128-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2128-3-0x0000000000270000-0x0000000000279000-memory.dmp

Filesize
36KB

Download
memory/2128-14-0x0000000000462000-0x000000000046B000-memory.dmp

Filesize
36KB

Download
memory/2600-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2600-16-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads