phoenix | 0920dc44442e04d196db33657904fa09414b02c767c56ef06b17d6a5ef2d5f53

General

Target

f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
Size

136KB
MD5

f5c6c27712a5569b304ff01ca5b1c7c8
SHA1

5f4cc37234cd430b71f3577e9ba38e5f6112ef33
SHA256

0920dc44442e04d196db33657904fa09414b02c767c56ef06b17d6a5ef2d5f53
SHA512

8516098a5e227141cd6c24e3fd8e78d21f37ec9574193282b5b6bf81ad3bb7260041ceb5cd2a6193d5f54023862af8beb9686a479ee0b4334cac0b8d79d208ab
SSDEEP

3072:MVP+ZJePc0+wJmWpCCNH0aAW9Bk6VKaVmBPxReklfxGYjuGmh:MVHPc0CeTnAKVKaghbXVUGm

Score

10^/10

phoenix collection credential_access discovery keylogger spyware stealer

Malware Config

Signatures

Phoenix Keylogger
Phoenix is a keylogger and info stealer first seen in July 2019.
stealer keylogger phoenix

Phoenix Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/2656-2-0x0000000000320000-0x0000000000360000-memory.dmp	family_phoenix

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ifconfig.me

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5c6c27712a5569b304ff01ca5b1c7c8_JaffaCakes118.exe"
1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2656-1-0x0000000000FB0000-0x0000000000FD6000-memory.dmp

Filesize
152KB

Download
memory/2656-2-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2656-3-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-4-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2656-5-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing