SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phorpiex (Back to overview)

Phorpiex

aka: Trik
URLhaus      

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

References
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-02-18LastlineJason Zhang, Stefano Ortolani
@online{zhang:20200218:nemty:8d6340a, author = {Jason Zhang and Stefano Ortolani}, title = {{Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders}}, date = {2020-02-18}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/}, language = {English}, urldate = {2020-02-23} } Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-23ZDNetCatalin Cimpanu
@online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus
Phorpiex
2019-11-19Check PointAlexey Bukhteyev
@online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } Phorpiex Breakdown
Phorpiex
2019-11-04SymantecNguyen Hoang Giang, Eduardo Altares, Muhammad Hasib Latif
@online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-03-06CrowdStrikeBrendon Feeley, Bex Hartley, Sergei Frankoff
@online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex Pinchy Spider Zombie Spider
2018-06-12Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } Trik Spam Botnet Leaks 43 Million Email Addresses
Phorpiex
2018-05-24ProofpointProofpoint Staff
@online{staff:20180524:phorpiex:81572f0, author = {Proofpoint Staff}, title = {{Phorpiex – A decade of spamming from the shadows}}, date = {2018-05-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows}, language = {English}, urldate = {2019-12-20} } Phorpiex – A decade of spamming from the shadows
Phorpiex
2016-02-21Johannes Bader BlogJohannes Bader
@online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } Phorpiex - An IRC worm
Phorpiex
2013-01-21Trend MicroMark Joseph Manahan
@online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } Shylock Not the Lone Threat Targeting Skype
Phorpiex
Yara Rules
[TLP:WHITE] win_phorpiex_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_phorpiex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85c0 740f 6a07 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_1 = { 6a00 ff15???????? ff15???????? 50 e8???????? 83c404 }
            // n = 6, score = 600
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_2 = { 6a00 6a20 6a00 6a00 6a00 8b5508 }
            // n = 6, score = 600
            //   6a00                 | push                0
            //   6a20                 | push                0x20
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_3 = { e8???????? 99 b930750000 f7f9 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b930750000           | mov                 ecx, 0x7530
            //   f7f9                 | idiv                ecx

        $sequence_4 = { ff15???????? 85c0 741f 6880000000 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   6880000000           | push                0x80

        $sequence_5 = { ff15???????? 6a00 ff15???????? 85c0 7418 }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a

        $sequence_6 = { e8???????? 83c404 e8???????? e8???????? ff15???????? 6a00 }
            // n = 6, score = 500
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_7 = { e8???????? 99 b90d000000 f7f9 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b90d000000           | mov                 ecx, 0xd
            //   f7f9                 | idiv                ecx

        $sequence_8 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 }
            // n = 6, score = 500
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { e8???????? 83c410 6a00 6a02 6a02 6a00 }
            // n = 6, score = 500
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0

        $sequence_10 = { 6a00 6a00 682a800000 6a00 }
            // n = 4, score = 500
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   682a800000           | push                0x802a
            //   6a00                 | push                0

        $sequence_11 = { 7416 8b4df8 51 ff15???????? 8b55fc 52 }
            // n = 6, score = 400
            //   7416                 | je                  0x18
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx

        $sequence_12 = { eba7 6a00 ff15???????? 8be5 }
            // n = 4, score = 400
            //   eba7                 | jmp                 0xffffffa9
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8be5                 | mov                 esp, ebp

        $sequence_13 = { 85c0 7440 6a01 ff15???????? 8945f8 837df800 }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0

        $sequence_14 = { f7f9 52 ff15???????? 6a00 6a00 6a00 }
            // n = 6, score = 300
            //   f7f9                 | idiv                ecx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_15 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? }
            // n = 5, score = 300
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_16 = { 50 e8???????? 83c410 e8???????? 99 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   99                   | cdq                 

        $sequence_17 = { 6a21 50 e8???????? c60000 }
            // n = 4, score = 300
            //   6a21                 | push                0x21
            //   50                   | push                eax
            //   e8????????           |                     
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_18 = { 3db7000000 7508 6a00 ff15???????? 6804010000 }
            // n = 5, score = 300
            //   3db7000000           | cmp                 eax, 0xb7
            //   7508                 | jne                 0xa
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_19 = { 3d00010000 7504 83c8ff c3 8b542404 }
            // n = 5, score = 300
            //   3d00010000           | cmp                 eax, 0x100
            //   7504                 | jne                 6
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_20 = { 7414 3c41 7410 3c52 740c 3c72 7408 }
            // n = 7, score = 200
            //   7414                 | je                  0x16
            //   3c41                 | cmp                 al, 0x41
            //   7410                 | je                  0x12
            //   3c52                 | cmp                 al, 0x52
            //   740c                 | je                  0xe
            //   3c72                 | cmp                 al, 0x72
            //   7408                 | je                  0xa

        $sequence_21 = { 41 84c0 75f6 8d442428 8d5001 8a08 }
            // n = 6, score = 200
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f6                 | jne                 0xfffffff8
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   8d5001               | lea                 edx, [eax + 1]
            //   8a08                 | mov                 cl, byte ptr [eax]

        $sequence_22 = { 3c42 7434 3c32 7430 }
            // n = 4, score = 200
            //   3c42                 | cmp                 al, 0x42
            //   7434                 | je                  0x36
            //   3c32                 | cmp                 al, 0x32
            //   7430                 | je                  0x32

        $sequence_23 = { be08020000 56 33ff 8d85f8fdffff 57 50 }
            // n = 6, score = 200
            //   be08020000           | mov                 esi, 0x208
            //   56                   | push                esi
            //   33ff                 | xor                 edi, edi
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   57                   | push                edi
            //   50                   | push                eax

        $sequence_24 = { 8d1451 8a0e bf01000000 84c9 75de eb0a 85ff }
            // n = 7, score = 200
            //   8d1451               | lea                 edx, [ecx + edx*2]
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   bf01000000           | mov                 edi, 1
            //   84c9                 | test                cl, cl
            //   75de                 | jne                 0xffffffe0
            //   eb0a                 | jmp                 0xc
            //   85ff                 | test                edi, edi

        $sequence_25 = { 57 50 e8???????? 83c418 56 8d85f8fdffff }
            // n = 6, score = 200
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   56                   | push                esi
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]

        $sequence_26 = { 50 6a0c 8d4c2420 51 6800142d00 57 ff15???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6a0c                 | push                0xc
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   51                   | push                ecx
            //   6800142d00           | push                0x2d1400
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_27 = { 85c0 74bf 47 3bfb 72cf 8a06 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   74bf                 | je                  0xffffffc1
            //   47                   | inc                 edi
            //   3bfb                 | cmp                 edi, ebx
            //   72cf                 | jb                  0xffffffd1
            //   8a06                 | mov                 al, byte ptr [esi]

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules