phorphiex | 908fea0d45e0948714aab5c1abd5daa664eeef4dcf11d27f8b9cfbd30fc1168c

General

Target

JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe
Size

1016KB
MD5

6f4f9522086eac0071069f0a799aa7de
SHA1

cf4544d75145060da77eb780444e1ef15984fd6f
SHA256

908fea0d45e0948714aab5c1abd5daa664eeef4dcf11d27f8b9cfbd30fc1168c
SHA512

104c2fc99cd7b2a91e9aa446712d5802a88d5fc64fc28dce03db5e31c6f30f8d59f782a5b7021107be686c8a233320ae0b82a6e956e829e1d85569780bd2b2c5
SSDEEP

24576:6c//////qPzZSQcEQhN/nrNC3fB39BRbWMmdbesfmIt:6c//////qPzORhNPrNC3RcMQasfmK

Score

10^/10

phorphiex discovery loader trojan vmprotect worm

Malware Config

Signatures

Phorphiex family
phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Executes dropped EXE 2 IoCs

pid	Process
2856	guozi.exe
2300	·çÔÆ20100222-2°æ.exe

Loads dropped DLL 10 IoCs

pid	Process
2004	cmd.exe
2004	cmd.exe
2560	cmd.exe
2560	cmd.exe
2912	WerFault.exe
2912	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2912	WerFault.exe
2140	WerFault.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000016bfc-12.dat	vmprotect
behavioral1/memory/2300-19-0x0000000000400000-0x0000000000662000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wshipv4.dll	guozi.exe

Program crash 2 IoCs

pid	pid_target	Process
2140	2300	WerFault.exe
2912	2856	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guozi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	·çÔÆ20100222-2°æ.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2856	guozi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	guozi.exe
Token: SeDebugPrivilege	2856	guozi.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2004	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	30
PID 2168 wrote to memory of 2004	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	30
PID 2168 wrote to memory of 2004	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	30
PID 2168 wrote to memory of 2004	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	30
PID 2168 wrote to memory of 2560	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	31
PID 2168 wrote to memory of 2560	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	31
PID 2168 wrote to memory of 2560	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	31
PID 2168 wrote to memory of 2560	2168	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	31
PID 2004 wrote to memory of 2856	2004	cmd.exe	34
PID 2004 wrote to memory of 2856	2004	cmd.exe	34
PID 2004 wrote to memory of 2856	2004	cmd.exe	34
PID 2004 wrote to memory of 2856	2004	cmd.exe	34
PID 2560 wrote to memory of 2300	2560	cmd.exe	35
PID 2560 wrote to memory of 2300	2560	cmd.exe	35
PID 2560 wrote to memory of 2300	2560	cmd.exe	35
PID 2560 wrote to memory of 2300	2560	cmd.exe	35
PID 2300 wrote to memory of 2140	2300	·çÔÆ20100222-2°æ.exe	36
PID 2300 wrote to memory of 2140	2300	·çÔÆ20100222-2°æ.exe	36
PID 2300 wrote to memory of 2140	2300	·çÔÆ20100222-2°æ.exe	36
PID 2300 wrote to memory of 2140	2300	·çÔÆ20100222-2°æ.exe	36
PID 2856 wrote to memory of 2912	2856	guozi.exe	37
PID 2856 wrote to memory of 2912	2856	guozi.exe	37
PID 2856 wrote to memory of 2912	2856	guozi.exe	37
PID 2856 wrote to memory of 2912	2856	guozi.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\guozi.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\guozi.exe
    C:\Users\Admin\AppData\Local\Temp\guozi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 168
      4⤵
      Loads dropped DLL
      Program crash
      PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe
    C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 188
      4⤵
      Loads dropped DLL
      Program crash
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe

Filesize
940KB

MD5
e9d30ab511f82de844601586e348074c

SHA1
c7a00287019b57c6950060e3a9df56848ebc3dc5

SHA256
176042c025ef1a543b622612e6c612b22b34204b96a7572f1903646164a30745

SHA512
d242132798b386a47c95e20b4bb9658674e8d9f6a5640cc8a9cb87f52d2a23bb094c066cc4116875f868d722cccf9e365618ec4a52d186f51544bb07cf24f949

Download Submit
\Users\Admin\AppData\Local\Temp\guozi.exe

Filesize
37KB

MD5
d434d83c5958bb61057e0a2d2abb19cd

SHA1
6726e5c6a4fe792816939e75ed76591ca9fbed43

SHA256
18f7f7b330c8f53bc42b9d498219ce58bdf337e82dc7a87c81b16020f9207bf2

SHA512
76758474649abef209017c0363f583f5fe38d7e6bff65af7f14c1d5bc0af0bae0350e4d31e0cc9dfc90074d0550d6e48fa07772e128879da25ff1e705f33562e

Download Submit
memory/2004-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2004-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2168-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2300-19-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download
memory/2560-14-0x00000000022B0000-0x0000000002512000-memory.dmp

Filesize
2.4MB

Download
memory/2560-16-0x00000000022B0000-0x0000000002512000-memory.dmp

Filesize
2.4MB

Download
memory/2856-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2856-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing