Overview

overview

10

Static

static

10

5820a8e57f...18.exe

windows7-x64

10

5820a8e57f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5820a8e57fa4d637879cb497a8888cc1_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    5820a8e57fa4d637879cb497a8888cc1

  • SHA1

    069d0e2bb993df8d94bfae8d7932be4aa1926ce2

  • SHA256

    25b2db6412500a86c7a47ad4d88fe9d556cf677e50214355ddc0d34a620bbaf9

  • SHA512

    086bb7b98c8e948df20dbf70a5e01a24fa8a4490923fbd8e932d20e3272b76997b182f279be2e0929c2eb05fe5971e43b9619197f9bbed99b40251d672620c57

  • SSDEEP

    768:GsNLIk+WHQYNqPH6aRdyXDjbBJ3+seF+4WOJ:kkDH+PH9dyzj7eF/

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.93/

http://gimmefile.top/

http://feedmefile.top/

http://gotsomefile.top/

http://185.215.113.66/
Wallets

15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N

1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv

3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ

bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr

XkcKjKZqNUkChwJXMj5uDjDns6etXvakir

D7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb

0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdE

LfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTG

rUQFcff9R1eKAwTtR1wbuQxmcoB236mz44

TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TB

t1gTRxsrEXwky32j22jgFRZAafBzmCV2M2V

AT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3

bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr

44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822

GBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMV

bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgc

bc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Phorphiex payload 2 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5820a8e57fa4d637879cb497a8888cc1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5820a8e57fa4d637879cb497a8888cc1_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\274051334913836\spoolsv.exe
      C:\274051334913836\spoolsv.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Users\Admin\AppData\Local\Temp\1481638898.exe
        C:\Users\Admin\AppData\Local\Temp\1481638898.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\sylsplvc.exe
          C:\Windows\sylsplvc.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:388
          • C:\Users\Admin\AppData\Local\Temp\2277522949.exe
            C:\Users\Admin\AppData\Local\Temp\2277522949.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3944
            • C:\Windows\winblrsnrcs.exe
              C:\Windows\winblrsnrcs.exe
              6⤵
              • Modifies security service
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              PID:4068
          • C:\Users\Admin\AppData\Local\Temp\2363714522.exe
            C:\Users\Admin\AppData\Local\Temp\2363714522.exe
            5⤵
            • Executes dropped EXE
            PID:3784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\274051334913836\spoolsv.exe
    Filesize

    400KB

    MD5

    5820a8e57fa4d637879cb497a8888cc1

    SHA1

    069d0e2bb993df8d94bfae8d7932be4aa1926ce2

    SHA256

    25b2db6412500a86c7a47ad4d88fe9d556cf677e50214355ddc0d34a620bbaf9

    SHA512

    086bb7b98c8e948df20dbf70a5e01a24fa8a4490923fbd8e932d20e3272b76997b182f279be2e0929c2eb05fe5971e43b9619197f9bbed99b40251d672620c57

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S5KAZR04\3[1]
    Filesize

    86KB

    MD5

    fe1e93f12cca3f7c0c897ef2084e1778

    SHA1

    fb588491ddad8b24ea555a6a2727e76cec1fade3

    SHA256

    2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

    SHA512

    36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1481638898.exe
    Filesize

    79KB

    MD5

    1e8a2ed2e3f35620fb6b8c2a782a57f3

    SHA1

    e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

    SHA256

    3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

    SHA512

    ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2277522949.exe
    Filesize

    18KB

    MD5

    c53b73c89515e712a301a9d17e313900

    SHA1

    154b857b1ceec6938851e57baa0861b6a1fceb16

    SHA256

    6e24c56691c01a191e88f193966e04000fe5b83caa9b5adb4afebbd6cc717c68

    SHA512

    eeefbefd1c36f8493c58cda9dbfa9ae6580a7507fb99f1deb3f869348a7e92d702cdae50c4f035b31303717984b4282fa9777e92fdd1a0c70ec32f4e7063efc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2363714522.exe
    Filesize

    10KB

    MD5

    9d3a5017e86fd5e182ca58c8293ffa3e

    SHA1

    242a24a7cda4f7c7a87c19c1ce036227b48f8235

    SHA256

    c339b1bf9947ba07e9203ebfdd6f41cf8414f4ef795d528c8f768eab0d136586

    SHA512

    009a35103362a59f83100425c702bf0072be3a3fa1afd508bc530f26a2b78f607ec70ffc4a2c929596943864b1a507a1ff4714bbfb4784d44d8dfa22084b710b

    Download Submit