Analysis

  • max time kernel
    95s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 07:41

General

  • Target

    b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    b78cc453ef6735d9fc1d91658309b3c9

  • SHA1

    1c9a19aea4f21b5dc77965717f9813a8b265ff7d

  • SHA256

    d3cae8c46ffb9be79aeb3db8890dd844f03f795b23e0865c896052806bb3b925

  • SHA512

    2adc091fe870a67ad93dd7fa12842484bcca73188df45ccdcfe46c4d9037d061fb41a5a239dca5e4a5e11a984f7336332efb6bd0568d9669bf7a181be5158078

  • SSDEEP

    384:RKL1qxnGijrYYVLJZKxo9kxouWxye2uldETQUvpNmSa0VQ:RKLWGu8QFZKsmopxyefldoQUefqQ

Malware Config

Signatures

  • Phorphiex family
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b78cc453ef6735d9fc1d91658309b3c9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\delself.bat

    Filesize

    198B

    MD5

    adc37bd4d63883ba16a387688dbd1914

    SHA1

    b3e6672694bcd3bfd79f8cab11026b09ecdd7bdd

    SHA256

    91c02b985a94a54c6927ab805ae753e9162decf4095ad6b6b4d3aec4d20cf586

    SHA512

    40172512d870aea7b4499e030824c4f81ee83349d551092fa7364beee7da09943a402e6fa718ed80f8f3319b0d606c9a0fe05e88d43061c74e4d6efcaf8e288d

  • C:\Windows\SysWOW64\mssql.dll

    Filesize

    18KB

    MD5

    55c40de701e3a70105c810420a460a7a

    SHA1

    2d36e023b4598f1f2fdc76827ca7b1013aa5b349

    SHA256

    5e7f461564dac11fc54880e2e6b824f90f5fd47a7d66cfd6000423c93965efaa

    SHA512

    5e92aa11099bced99da320c116ea512d2f54afe31207db2ccc6e6e24384ed3804ba8756f148f665cf4c688503a4816dee238ae8797efa5c54af8301d2fc0506c