phobos | 64a95c8862fe88df0a77bff4ef03f6a2c2cf632cc3ffe84506c534d5874bb277

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
Size

76KB
MD5

e21bc6d01dad98fa8dfb297be8581b89
SHA1

50f28d1d8e0acc5ddcbc0d4a5f0d5e0d88ceebd8
SHA256

64a95c8862fe88df0a77bff4ef03f6a2c2cf632cc3ffe84506c534d5874bb277
SHA512

d0f5830d8a0afdfb5b7101e0f7dfb68135b295a4e7623836ae96cb173a7d43e8f767960c2878da202dbec3112303ca18c24667e7a967e7ca1bbc71c65e1beebb
SSDEEP

1536:wPgGB2xAiABz7T43MSTdQluUV2CU+tqRnq9kDIuK:wWuv7QMuY1DtqRPDl

Score

10^/10

phobos defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Phobos family
phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2936	netsh.exe
1096	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89 = "C:\\Users\\Admin\\AppData\\Local\\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe"	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89 = "C:\\Users\\Admin\\AppData\\Local\\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe"	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\id.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.id[8FAA4351-3240].[[email protected]].eking	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
236	2612	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2704	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2816	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	32
PID 2612 wrote to memory of 2816	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	32
PID 2612 wrote to memory of 2816	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	32
PID 2612 wrote to memory of 2816	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	32
PID 2612 wrote to memory of 2316	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	31
PID 2612 wrote to memory of 2316	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	31
PID 2612 wrote to memory of 2316	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	31
PID 2612 wrote to memory of 2316	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	31
PID 2816 wrote to memory of 2704	2816	cmd.exe	36
PID 2816 wrote to memory of 2704	2816	cmd.exe	36
PID 2816 wrote to memory of 2704	2816	cmd.exe	36
PID 2316 wrote to memory of 2936	2316	cmd.exe	35
PID 2316 wrote to memory of 2936	2316	cmd.exe	35
PID 2316 wrote to memory of 2936	2316	cmd.exe	35
PID 2612 wrote to memory of 236	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	38
PID 2612 wrote to memory of 236	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	38
PID 2612 wrote to memory of 236	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	38
PID 2612 wrote to memory of 236	2612	JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe	38
PID 2316 wrote to memory of 1096	2316	cmd.exe	40
PID 2316 wrote to memory of 1096	2316	cmd.exe	40
PID 2316 wrote to memory of 1096	2316	cmd.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e21bc6d01dad98fa8dfb297be8581b89.exe"
  2⤵
  PID:2864
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2936
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1096
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 452
  2⤵
  - Program crash
  PID:236