Malware Analysis Report

2024-09-22 14:54

Sample ID 240618-rsefdsxelc
Target 019f79bad911018716678def3bc289b1.7z
SHA256 24f5ebdad00d567029760a3e364b2702d1402fe4dc6c7e0801824b02bd239c22
Tags
upx gh0strat purplefox persistence rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24f5ebdad00d567029760a3e364b2702d1402fe4dc6c7e0801824b02bd239c22

Threat Level: Known bad

The file 019f79bad911018716678def3bc289b1.7z was found to be: Known bad.

Malicious Activity Summary

upx gh0strat purplefox persistence rat rootkit trojan

Detect PurpleFox Rootkit

PurpleFox

Gh0st RAT payload

Gh0strat

Drops file in Drivers directory

Sets service image path in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Deletes itself

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:27

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:27

Reported

2024-06-18 14:29

Platform

win7-20240419-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Phija.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phija.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\S: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\X: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\H: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\W: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\N: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\B: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\G: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\I: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\J: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\K: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\L: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\M: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\P: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\T: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\V: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\E: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\R: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\U: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Phija.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: 33 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: 33 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Phija.exe

"C:\Users\Admin\AppData\Local\Temp\Phija.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Phija.exe > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
HK 206.238.43.201:8080 tcp

Files

memory/2180-0-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2180-1-0x0000000010000000-0x000000001019F000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe

MD5 bd50ba38259a5c7a2a376ea20c16d895
SHA1 a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA256 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA512 30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66

memory/2180-21-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2092-22-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2180-20-0x0000000002C70000-0x0000000002DB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:27

Reported

2024-06-18 14:29

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Phija.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Phija.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Phija.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: 33 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: 33 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Phija.exe

"C:\Users\Admin\AppData\Local\Temp\Phija.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Phija.exe > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
HK 206.238.43.201:8080 tcp
HK 206.238.43.201:8080 tcp
HK 206.238.43.201:8080 tcp
HK 206.238.43.201:8080 tcp
US 52.111.229.43:443 tcp
HK 206.238.43.201:8080 tcp
HK 206.238.43.201:8080 tcp
HK 206.238.43.201:8080 tcp

Files

memory/788-0-0x0000000000400000-0x0000000000547000-memory.dmp

memory/788-1-0x0000000010000000-0x000000001019F000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phija.exe

MD5 bd50ba38259a5c7a2a376ea20c16d895
SHA1 a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA256 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA512 30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66

memory/788-16-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1884-17-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1884-34-0x0000000000400000-0x0000000000547000-memory.dmp