SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phorpiex (Back to overview)

Phorpiex

aka: Trik
URLhaus      

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

References
2020-02-18LastlineJason Zhang, Stefano Ortolani
@online{zhang:20200218:nemty:8d6340a, author = {Jason Zhang and Stefano Ortolani}, title = {{Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders}}, date = {2020-02-18}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/}, language = {English}, urldate = {2020-02-23} } Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-23ZDNetCatalin Cimpanu
@online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus
Phorpiex
2019-11-19Check PointAlexey Bukhteyev
@online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } Phorpiex Breakdown
Phorpiex
2019-11-04SymantecNguyen Hoang Giang, Eduardo Altares, Muhammad Hasib Latif
@online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-01-10} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-03-06CrowdStrikeBrendon Feeley, Bex Hartley, Sergei Frankoff
@online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex Pinchy Spider Zombie Spider
2018-06-12Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } Trik Spam Botnet Leaks 43 Million Email Addresses
Phorpiex
2018-05-24ProofpointProofpoint Staff
@online{staff:20180524:phorpiex:81572f0, author = {Proofpoint Staff}, title = {{Phorpiex – A decade of spamming from the shadows}}, date = {2018-05-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows}, language = {English}, urldate = {2019-12-20} } Phorpiex – A decade of spamming from the shadows
Phorpiex
2016-02-21Johannes Bader BlogJohannes Bader
@online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } Phorpiex - An IRC worm
Phorpiex
2013-01-21Trend MicroMark Joseph Manahan
@online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } Shylock Not the Lone Threat Targeting Skype
Phorpiex
Yara Rules
[TLP:WHITE] win_phorpiex_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_phorpiex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ff15???????? ff15???????? 50 e8???????? }
            // n = 5, score = 1000
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { e8???????? 99 b930750000 f7f9 }
            // n = 4, score = 900
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b930750000           | mov                 ecx, 0x7530
            //   f7f9                 | idiv                ecx

        $sequence_2 = { e8???????? 83c404 e8???????? e8???????? ff15???????? }
            // n = 5, score = 800
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_3 = { 52 ff15???????? 6a00 6a00 6a00 6a00 68???????? }
            // n = 7, score = 800
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_4 = { 83c410 6a00 6a02 6a02 6a00 6a00 }
            // n = 6, score = 800
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_5 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 }
            // n = 6, score = 800
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { ff15???????? 85c0 740f 6a07 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_7 = { ff15???????? 85c0 741f 6880000000 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   6880000000           | push                0x80

        $sequence_8 = { 6a00 6a00 682a800000 6a00 }
            // n = 4, score = 700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   682a800000           | push                0x802a
            //   6a00                 | push                0

        $sequence_9 = { 52 683f000f00 6a00 68???????? 6802000080 ff15???????? 85c0 }
            // n = 7, score = 700
            //   52                   | push                edx
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_10 = { 6a00 ff15???????? 85c0 7418 ff15???????? }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a
            //   ff15????????         |                     

        $sequence_11 = { 8945f8 837df800 7429 8b45f8 50 }
            // n = 5, score = 600
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   7429                 | je                  0x2b
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax

        $sequence_12 = { ff15???????? ff15???????? b001 8be5 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   b001                 | mov                 al, 1
            //   8be5                 | mov                 esp, ebp

        $sequence_13 = { e8???????? 83c404 85c0 7507 32c0 e9???????? eb89 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   eb89                 | jmp                 0xffffff8b

        $sequence_14 = { 3db7000000 7508 6a00 ff15???????? 6804010000 }
            // n = 5, score = 500
            //   3db7000000           | cmp                 eax, 0xb7
            //   7508                 | jne                 0xa
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_15 = { 7504 83c8ff c3 8b542404 }
            // n = 4, score = 500
            //   7504                 | jne                 6
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_16 = { 6a21 50 e8???????? c60000 }
            // n = 4, score = 500
            //   6a21                 | push                0x21
            //   50                   | push                eax
            //   e8????????           |                     
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_17 = { 8d442420 50 68???????? 8d4c2468 68ff010000 51 e8???????? }
            // n = 7, score = 400
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   50                   | push                eax
            //   68????????           |                     
            //   8d4c2468             | lea                 ecx, [esp + 0x68]
            //   68ff010000           | push                0x1ff
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_18 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? }
            // n = 5, score = 400
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_19 = { 8d4c2420 51 6800142d00 57 ff15???????? 85c0 }
            // n = 6, score = 400
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   51                   | push                ecx
            //   6800142d00           | push                0x2d1400
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_20 = { 50 e8???????? 83c410 e8???????? 99 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   99                   | cdq                 

        $sequence_21 = { 8d4c2428 42 8801 8a02 41 84c0 75f6 }
            // n = 7, score = 400
            //   8d4c2428             | lea                 ecx, [esp + 0x28]
            //   42                   | inc                 edx
            //   8801                 | mov                 byte ptr [ecx], al
            //   8a02                 | mov                 al, byte ptr [edx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f6                 | jne                 0xfffffff8

        $sequence_22 = { 7404 3c7a 7512 3c34 7415 3c32 }
            // n = 6, score = 200
            //   7404                 | je                  6
            //   3c7a                 | cmp                 al, 0x7a
            //   7512                 | jne                 0x14
            //   3c34                 | cmp                 al, 0x34
            //   7415                 | je                  0x17
            //   3c32                 | cmp                 al, 0x32

        $sequence_23 = { 3db7000000 740b 56 ff15???????? b001 }
            // n = 5, score = 200
            //   3db7000000           | cmp                 eax, 0xb7
            //   740b                 | je                  0xd
            //   56                   | push                esi
            //   ff15????????         |                     
            //   b001                 | mov                 al, 1

        $sequence_24 = { 33ff 85db 7631 8a0437 }
            // n = 4, score = 200
            //   33ff                 | xor                 edi, edi
            //   85db                 | test                ebx, ebx
            //   7631                 | jbe                 0x33
            //   8a0437               | mov                 al, byte ptr [edi + esi]

        $sequence_25 = { 85c0 750f 0fbe0437 50 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   0fbe0437             | movsx               eax, byte ptr [edi + esi]
            //   50                   | push                eax

        $sequence_26 = { 50 e8???????? 59 85c0 74bf 47 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   74bf                 | je                  0xffffffc1
            //   47                   | inc                 edi

    condition:
        7 of them and filesize < 2490368
}
Download all Yara Rules