phorphiex | d3cae8c46ffb9be79aeb3db8890dd844f03f795b23e0865c896052806bb3b925

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
Size

14KB
MD5

b78cc453ef6735d9fc1d91658309b3c9
SHA1

1c9a19aea4f21b5dc77965717f9813a8b265ff7d
SHA256

d3cae8c46ffb9be79aeb3db8890dd844f03f795b23e0865c896052806bb3b925
SHA512

2adc091fe870a67ad93dd7fa12842484bcca73188df45ccdcfe46c4d9037d061fb41a5a239dca5e4a5e11a984f7336332efb6bd0568d9669bf7a181be5158078
SSDEEP

384:RKL1qxnGijrYYVLJZKxo9kxouWxye2uldETQUvpNmSa0VQ:RKLWGu8QFZKsmopxyefldoQUefqQ

Score

10^/10

phorphiex discovery loader trojan worm

Malware Config

Signatures

Phorphiex family
phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mssock.sys	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mssql.dll	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mssql.dll	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
480	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2804	2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2804	2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2804	2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2804	2884	b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
198B

MD5
adc37bd4d63883ba16a387688dbd1914

SHA1
b3e6672694bcd3bfd79f8cab11026b09ecdd7bdd

SHA256
91c02b985a94a54c6927ab805ae753e9162decf4095ad6b6b4d3aec4d20cf586

SHA512
40172512d870aea7b4499e030824c4f81ee83349d551092fa7364beee7da09943a402e6fa718ed80f8f3319b0d606c9a0fe05e88d43061c74e4d6efcaf8e288d

Download Submit
\Windows\SysWOW64\mssql.dll

Filesize
18KB

MD5
55c40de701e3a70105c810420a460a7a

SHA1
2d36e023b4598f1f2fdc76827ca7b1013aa5b349

SHA256
5e7f461564dac11fc54880e2e6b824f90f5fd47a7d66cfd6000423c93965efaa

SHA512
5e92aa11099bced99da320c116ea512d2f54afe31207db2ccc6e6e24384ed3804ba8756f148f665cf4c688503a4816dee238ae8797efa5c54af8301d2fc0506c

Download Submit