phorphiex | 908fea0d45e0948714aab5c1abd5daa664eeef4dcf11d27f8b9cfbd30fc1168c

General

Target

JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe
Size

1016KB
MD5

6f4f9522086eac0071069f0a799aa7de
SHA1

cf4544d75145060da77eb780444e1ef15984fd6f
SHA256

908fea0d45e0948714aab5c1abd5daa664eeef4dcf11d27f8b9cfbd30fc1168c
SHA512

104c2fc99cd7b2a91e9aa446712d5802a88d5fc64fc28dce03db5e31c6f30f8d59f782a5b7021107be686c8a233320ae0b82a6e956e829e1d85569780bd2b2c5
SSDEEP

24576:6c//////qPzZSQcEQhN/nrNC3fB39BRbWMmdbesfmIt:6c//////qPzORhNPrNC3RcMQasfmK

Score

10^/10

phorphiex discovery loader trojan vmprotect worm

Malware Config

Signatures

Phorphiex family
phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Executes dropped EXE 2 IoCs

pid	Process
1800	guozi.exe
4604	·çÔÆ20100222-2°æ.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023d6b-10.dat	vmprotect
behavioral2/memory/4604-11-0x0000000000400000-0x0000000000662000-memory.dmp	vmprotect
behavioral2/memory/4604-13-0x0000000000400000-0x0000000000662000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wshipv4.dll	guozi.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3940	1800	WerFault.exe	89
3952	4604	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guozi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	·çÔÆ20100222-2°æ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1800	guozi.exe
1800	guozi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	guozi.exe
Token: SeDebugPrivilege	1800	guozi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4092	4532	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	85
PID 4532 wrote to memory of 4092	4532	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	85
PID 4532 wrote to memory of 4092	4532	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	85
PID 4532 wrote to memory of 4904	4532	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	87
PID 4532 wrote to memory of 4904	4532	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	87
PID 4532 wrote to memory of 4904	4532	JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe	87
PID 4092 wrote to memory of 1800	4092	cmd.exe	89
PID 4092 wrote to memory of 1800	4092	cmd.exe	89
PID 4092 wrote to memory of 1800	4092	cmd.exe	89
PID 4904 wrote to memory of 4604	4904	cmd.exe	90
PID 4904 wrote to memory of 4604	4904	cmd.exe	90
PID 4904 wrote to memory of 4604	4904	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f4f9522086eac0071069f0a799aa7de.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\guozi.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\guozi.exe
    C:\Users\Admin\AppData\Local\Temp\guozi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 328
      4⤵
      Program crash
      PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe
    C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 528
      4⤵
      Program crash
      PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1800 -ip 1800
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\guozi.exe

Filesize
37KB

MD5
d434d83c5958bb61057e0a2d2abb19cd

SHA1
6726e5c6a4fe792816939e75ed76591ca9fbed43

SHA256
18f7f7b330c8f53bc42b9d498219ce58bdf337e82dc7a87c81b16020f9207bf2

SHA512
76758474649abef209017c0363f583f5fe38d7e6bff65af7f14c1d5bc0af0bae0350e4d31e0cc9dfc90074d0550d6e48fa07772e128879da25ff1e705f33562e

Download Submit
C:\Users\Admin\AppData\Local\Temp\·çÔÆ20100222-2°æ.exe

Filesize
940KB

MD5
e9d30ab511f82de844601586e348074c

SHA1
c7a00287019b57c6950060e3a9df56848ebc3dc5

SHA256
176042c025ef1a543b622612e6c612b22b34204b96a7572f1903646164a30745

SHA512
d242132798b386a47c95e20b4bb9658674e8d9f6a5640cc8a9cb87f52d2a23bb094c066cc4116875f868d722cccf9e365618ec4a52d186f51544bb07cf24f949

Download Submit
memory/1800-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1800-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4532-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4604-11-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download
memory/4604-13-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing