Malware Analysis Report: Phobos Ransomware

Mohitrajai

6 min readDec 27, 2022

Executive Summary

SHA256 hash

e63bfc04792f9f4b921ef182b83f03a5212f061a7c7d8cfe3c51f4fbc0032cba

MD5 hash

b5746928e66790ebd54e1052353fc2a0

❖ What kind of malware is Decrypt?

⮚ Decrypt is the name of ransomware That our team has discovered while examining one of the incidents. This Ransomware encrypts files & modified their files names and create two ransomware notes “info.hta & info.txt”. It belongs to a ransomware family called Phobos.

❖ Background of Phobos Ransomware:

⮚ Phobos ransomware is a form of malicious software used by threat actors to encrypt files on systems. The purpose is to extort a ransom fee from victims in exchange for restoring access to their data. Phobos affiliates are financially motivated and opportunistic. Most victims are small to medium sized businesses, though individuals have been impacted too.

attack patterns used by ransomware operators who obtain initial entry into an environment via remote access solutions have remained relatively consistent over the years. In almost all circumstances, our investigations found initial access was obtained using a local or domain administrator account. Consequently, most actors commenced their attack with privileged access and not much additional effort was required for them to achieve their objective.

Basic Static Analysis

{Screenshots and description about basic static artifacts and methods}

⮚ After the putting sample in pestudio its shows the MZ (magical Bits) it means it’s a Windows Executable File.

⮚ Pestudio Also shows the Entry-point details of the Executable file.

⮚ This Phobos Ransomware Sample Used the Above Windows APIs For Malicious Purposes.

⮚ There are lots of APIs like Registry Keys, thread Creation, HTTP APIs etc.

⮚ When I See the Details of Time Stamp in PEview tool I got the Details of the timestamp which was 2020–3–31.

⮚ In PEview .rdata section shows that executable access the GetIpAddrTable using the IPHLPAPI.DLL trying to get the Host Current IP Details.

⮚ After that in Pestudio Libraries Section its shows bunch of libraries which was used by this Ransomware. In one of them Shell32.Dll was also used for run Malicious Commands by the Ransomware.

⮚ In Pestudio Indicators section their entry-point location details, string count, imports count details etc.

⮚ Its shows details based on Levels High and low severity of malware. As well as details of the Executable like File size, Libraries count, Header Checksum. But the IP Helper API is most Dangerous API which was used by this Ransomware.

⮚ An IP Helper API used for the retrieve information about the network configuration of the local Computer.

Dynamic Analysis

{Screenshots and description about basic dynamic artifacts and methods}

⮚ In Dynamic Analysis Run the That Ransomware in Flare-VM which DNS route set to with Second Remnux OS.

⮚ When the Actual malware was run the malware was starting to encrypt files in .Decrypt extensions.

⮚ For see the processes which was run by this ransomware open the Process monitor tool.

⮚ There are lots of Registry Changes, File Creation processes was run by this Ransomware.

⮚ Number of Operations performed by this ransomware as well as open the registry and changes of safe boot options.

⮚ It’s also run the process for running the Shell.

⮚ Some of files was created and for persistence mechanism its set in startup folder & also add in registry Run directory.

⮚ When the Process Tree Structure opened in process monitor it shows some commands which was perform by CMD which parent process was decrypt.exe (Actual Malware).

⮚ Using wmic command, the Ransomware Delete the shadow copy.

⮚ In Windows Shadow copy it’s a technology to create the backup of the volumes and snapshots of the volumes. If we delete that Shadow copy we are not able to Restore Windows.

⮚ After that the next child process of the CMD was wbadmin.exe which was run the command to delete the catalog and also quiet it.

⮚ In the next Child process bcdedit.exe of the CMD was running and its set bootstatuspolicy as the ignoreallfailures.

⮚ An bcdedit.exe is the commandline tool which was used for managing boot configuration data.

⮚ An bootstatuspolicy was set as ignoreallfailures so its boot and ignore all the errors on system booting time.

⮚ In the Next Child process, the netsh.exe was run and its set opmode=disable of firewall.

⮚ An netsh.exe was network shell which was used for change the network configurations. And windows by default firewall was disable by this command. So if the malware communicate using the network system the firewall not interrupt it.

⮚ In the next child process of the using bcdedit its set default recoveryenabled no by using the bxcdedit.exe.

⮚ An bcdedit.exe was used to change the configuration of the boot and by default windows set the recovery enable but this ransomware disable it after this policy set user was enable to restore the system.

⮚ In the next child process vssadmin.exe delete the shadows and set all as quite.so after this policy set all the shadows policies was quiet and no able to run anymore in the system.

⮚ Then its displays Encryption message all the files Encrypted.

⮚ In the info.txt the following some text was display for some ransom and send the mail at johnhelper@gmx.de.

⮚ After my All the Analysis refer some online Sandbox tools what they tell about this ransomware.

⮚ First we use the App.any.run sandbox for analysis and its shows same result of the process as my analysis in graph format.

⮚ An create the hash value of this file and search on Virus total its shows the below results.

⮚ Its shows it belongs to Phobos ransomware malware family.

Indicators of Compromise:

MD5: b5746928e66790ebd54e1052353fc2a0

SHA-1: 43e19422cb3066a738944f2eeeb727a182aa48b4

SHA-256: e63bfc04792f9f4b921ef182b83f03a5212f061a7c7d8cfe3c51f4fbc0032cba

MITRE ATT&CK Technique ID For observed IOCs:

MITRE ATT&CK Technique ID: T1569-System-services

IOC: Executes as Windows Service (3)

vssvc.exe (1)

wbengine.exe (1)

vds.exe (1)

Description: This processes Run by the CMD

MITRE ATT&CK Technique ID: T1047-Windows Management Instrumentation

IOC: WMIC.exe shadowcopy delete

Description: used the WMIC.exe for accessing the shadowscopy

MITRE ATT&CK Technique ID: T1059- Command and Scripting Interpreter

IOC: CMD.exe (windows Command Shell)

Description: Starts CMD.EXE for commands execution

MITRE ATT&CK Technique ID: T1547- Boot or Logon Autostart Execution

IOC: Changes the autorun value in the registry/ Writes to the Start menu file

Description: Malware used the persistence method using autorun metod & startup folder

MITRE ATT&CK Technique ID: T1518- Security Software Discovery

IOC: WMIC.exe

Description: Used the WMIC.exe to change the shadowcopy information.

MITRE ATT&CK Technique ID: T1490- Inhibit System Recovery

IOC: vssadmin.exe delete shadows/all /quiet

Description: vssadmin.exe was used to delete volume shadows copy.

IOC: wbadmin.exe delete catalog -quiet

Description: wbadmin.exe was used to delete windows backup catalog.

IOC: bcdedit.exe /set{default} bootstatuspolicy ignoreallfailures

Description: bcdedit.exe was used to modify boot configurations.

MITRE ATT&CK Technique ID: T1486- Data Encrypted for Impact

IOC: Renames files like .decrypt

Description: rename system files with .decrypt extension.