phorphiex | ae73ef74543ce177e7d376df37c9d497df69bdb3777a5e3efa5cc43205321414

General

Target

JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
Size

404KB
MD5

db3c481f3eff1160e337e7971ef1d5dc
SHA1

233bca64d79acfabeeffeb028d8b0a011be38de2
SHA256

ae73ef74543ce177e7d376df37c9d497df69bdb3777a5e3efa5cc43205321414
SHA512

9754726b363c4ea7df6a7226f24357f1b82b727c159d6b58c902dc5fab53896aeca728a91795a7bede94ac1df22e4d90dbde5fdfe3cd27d94b4119ee7e0bff72
SSDEEP

6144:u9qlSqfb+6C82rv7pQsvKC1j7BQRyDo5Sv307a05LiSzt:u9qRfb+6C8A7p/z6ygEd05LiEt

Score

10^/10

phorphiex discovery evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/

http://urusurofhsorhfuuhk.su/

http://aeifaeifhutuhuhusk.su/

http://rzhsudhugugfugugsk.su/

http://bfagzzezgaegzgfaik.su/

http://eaeuafhuaegfugeudk.su/

http://aeufuaehfiuehfuhfk.su/

http://daedagheauehfuuhfk.su/

http://aeoughaoheguaoehdk.su/

http://eguaheoghouughahsk.su/

http://huaeokaefoaeguaehk.su/

http://afaeigaifgsgrhhafk.su/

http://afaigaeigieufuifik.su/

http://geauhouefheuutiiik.su/

http://gaoheeuofhefefhutk.su/

http://gaouehaehfoaeajrsk.su/

http://gaohrhurhuhruhfsdk.su/

http://gaghpaheiafhjefijk.su/

http://gaoehuoaoefhuhfugk.su/

http://aegohaohuoruitiiek.su/

Wallets

1Bn4JYKoVgQpZ73doWVFSNZBbwKj3cpJNR

qqsagteh4m6qunmgrrknulafzcdlmzn35yeggvq8qk

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0x05F916216CC4BA6ac89b8093d474E2a1e6121c63

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysfxii.exe

Phorphiex family
phorphiex

Phorphiex payload 4 IoCs

resource	yara_rule
behavioral2/memory/2728-2-0x0000000002210000-0x000000000221D000-memory.dmp	family_phorphiex
behavioral2/memory/2728-3-0x0000000002210000-0x000000000221D000-memory.dmp	family_phorphiex
behavioral2/memory/5096-12-0x0000000002360000-0x000000000236D000-memory.dmp	family_phorphiex
behavioral2/memory/5096-13-0x0000000002360000-0x000000000236D000-memory.dmp	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysfxii.exe

Executes dropped EXE 1 IoCs

pid	Process
5096	sysfxii.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysfxii.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysfxii.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1808318752\\sysfxii.exe"	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1808318752\\sysfxii.exe"	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1808318752\sysfxii.exe	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
File opened for modification	C:\Windows\1808318752	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
File created	C:\Windows\1808318752\sysfxii.exe	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysfxii.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe
5096	sysfxii.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
Token: SeDebugPrivilege	5096	sysfxii.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
5096	sysfxii.exe
5096	sysfxii.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 5096	2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe	84
PID 2728 wrote to memory of 5096	2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe	84
PID 2728 wrote to memory of 5096	2728	JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_db3c481f3eff1160e337e7971ef1d5dc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\1808318752\sysfxii.exe
  C:\Windows\1808318752\sysfxii.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1808318752\sysfxii.exe

Filesize
404KB

MD5
db3c481f3eff1160e337e7971ef1d5dc

SHA1
233bca64d79acfabeeffeb028d8b0a011be38de2

SHA256
ae73ef74543ce177e7d376df37c9d497df69bdb3777a5e3efa5cc43205321414

SHA512
9754726b363c4ea7df6a7226f24357f1b82b727c159d6b58c902dc5fab53896aeca728a91795a7bede94ac1df22e4d90dbde5fdfe3cd27d94b4119ee7e0bff72

Download Submit
memory/2728-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2728-1-0x0000000000435000-0x000000000043D000-memory.dmp

Filesize
32KB

Download
memory/2728-2-0x0000000002210000-0x000000000221D000-memory.dmp

Filesize
52KB

Download
memory/2728-3-0x0000000002210000-0x000000000221D000-memory.dmp

Filesize
52KB

Download
memory/2728-4-0x0000000000435000-0x000000000043D000-memory.dmp

Filesize
32KB

Download
memory/5096-10-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5096-12-0x0000000002360000-0x000000000236D000-memory.dmp

Filesize
52KB

Download
memory/5096-13-0x0000000002360000-0x000000000236D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads