win.phorpiex (Back to overview)

Phorpiex

aka: Trik
URLhaus      

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

References
2019-11-19 ⋅ Check PointAlexey Bukhteyev
@online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } Phorpiex Breakdown
Phorpiex
2019-09-09 ⋅ McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-01-10} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-03-06 ⋅ CrowdStrikeBrendon Feeley, Bex Hartley, Sergei Frankoff
@online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex Pinchy Spider Zombie Spider
2018-06-12 ⋅ Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } Trik Spam Botnet Leaks 43 Million Email Addresses
Phorpiex
2018-05-24 ⋅ ProofpointProofpoint Staff
@online{staff:20180524:phorpiex:81572f0, author = {Proofpoint Staff}, title = {{Phorpiex – A decade of spamming from the shadows}}, date = {2018-05-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows}, language = {English}, urldate = {2019-12-20} } Phorpiex – A decade of spamming from the shadows
Phorpiex
2016-02-21 ⋅ Johannes Bader BlogJohannes Bader
@online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } Phorpiex - An IRC worm
Phorpiex
2013-01-21 ⋅ Trend MicroMark Joseph Manahan
@online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } Shylock Not the Lone Threat Targeting Skype
Phorpiex
Yara Rules
[TLP:WHITE] win_phorpiex_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_phorpiex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 6a00 ff15???????? ff15???????? 50 e8???????? 83c404 }
            // n = 6, score = 500
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 6a00 ff15???????? ff15???????? 50 e8???????? }
            // n = 5, score = 500
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { ff15???????? ff15???????? 50 e8???????? 83c404 e8???????? e8???????? }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_3 = { ff15???????? 50 e8???????? 83c404 e8???????? e8???????? ff15???????? }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_4 = { e8???????? 83c410 6a00 6a02 6a02 6a00 6a00 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_5 = { e8???????? e8???????? ff15???????? 6a00 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_6 = { 83c410 6a00 6a02 6a02 6a00 6a00 6800000040 }
            // n = 7, score = 400
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6800000040           | push                0x40000000

        $sequence_7 = { 6a00 ff15???????? ff15???????? 50 e8???????? 83c404 e8???????? }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     

        $sequence_8 = { 50 e8???????? 83c404 e8???????? e8???????? ff15???????? }
            // n = 6, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_9 = { e8???????? 83c410 6a00 6a02 6a02 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2

        $sequence_10 = { 83c410 6a00 6a02 6a02 }
            // n = 4, score = 400
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2

        $sequence_11 = { 83c404 e8???????? e8???????? ff15???????? }
            // n = 4, score = 400
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_12 = { ff15???????? 85c0 740f 6a07 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_13 = { 50 ff15???????? 85c0 740f 6a07 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_14 = { 50 e8???????? 83c410 e8???????? 99 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   99                   | cdq                 

        $sequence_15 = { 83f8ff 0f846e010000 8b35???????? 6683bdc4f9ffff2e 0f8439010000 83a598f9ffff10 }
            // n = 6, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   0f846e010000         | je                  0x174
            //   8b35????????         |                     
            //   6683bdc4f9ffff2e     | cmp                 word ptr [ebp - 0x63c], 0x2e
            //   0f8439010000         | je                  0x13f
            //   83a598f9ffff10       | and                 dword ptr [ebp - 0x668], 0x10

        $sequence_16 = { 8d8598f9ffff 50 68f8494000 ff15???????? 8945fc 83f8ff 0f846e010000 }
            // n = 7, score = 100
            //   8d8598f9ffff         | lea                 eax, [ebp - 0x668]
            //   50                   | push                eax
            //   68f8494000           | push                0x4049f8
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   83f8ff               | cmp                 eax, -1
            //   0f846e010000         | je                  0x174

        $sequence_17 = { ff15???????? 8d85f0fdffff 68184a4000 50 e8???????? 59 59 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   68184a4000           | push                0x404a18
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_18 = { 56 8d85c4f5ffff 53 50 e8???????? 56 8d85ccf7ffff }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8d85c4f5ffff         | lea                 eax, [ebp - 0xa3c]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d85ccf7ffff         | lea                 eax, [ebp - 0x834]

        $sequence_19 = { be08020000 56 33ff 8d85f8fdffff 57 }
            // n = 5, score = 100
            //   be08020000           | mov                 esi, 0x208
            //   56                   | push                esi
            //   33ff                 | xor                 edi, edi
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   57                   | push                edi

    condition:
        1 of them
}
Download all Yara Rules