General
-
Target
774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118
-
Size
23.2MB
-
Sample
240727-hvy35stbjn
-
MD5
774c8da38e2508dd73b56b33c3bea62b
-
SHA1
4d118194ed4b9ebcad837f9dcbb4c2c6d7d75039
-
SHA256
654a7085e77f0d09d8670c6c5ead85d9c59f8205f4e2e2cfa2f5002fec62fc52
-
SHA512
15064d605d7c4e7184aeba2d443f821629a5fa0113dc5e4203ca97864df954d1bcff1992abddba86f517479bfbc4ffa2df7ffa3432b13e7dfa9ba1a8a9c6b0d4
-
SSDEEP
393216:uqzoRzWy1upx+2foBNNWLlss+UCAMrhU5XCXxv8jydfZxzuZTJKTq57rPGkET1yI:Dmup2LNiy42hSCXxSypZxqfPz3ET1rR
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
-
mutex
tre5eer
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Targets
-
-
Target
774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118
-
Size
23.2MB
-
MD5
774c8da38e2508dd73b56b33c3bea62b
-
SHA1
4d118194ed4b9ebcad837f9dcbb4c2c6d7d75039
-
SHA256
654a7085e77f0d09d8670c6c5ead85d9c59f8205f4e2e2cfa2f5002fec62fc52
-
SHA512
15064d605d7c4e7184aeba2d443f821629a5fa0113dc5e4203ca97864df954d1bcff1992abddba86f517479bfbc4ffa2df7ffa3432b13e7dfa9ba1a8a9c6b0d4
-
SSDEEP
393216:uqzoRzWy1upx+2foBNNWLlss+UCAMrhU5XCXxv8jydfZxzuZTJKTq57rPGkET1yI:Dmup2LNiy42hSCXxSypZxqfPz3ET1rR
Score10/10-
Modifies security service
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Windows security bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2