Back to Posts


Reading Time: 9 minutes

Ransomware Details

Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses.

Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired by him.

Phobos is a ransomware infection that spreads through hijacked Remote Desktop (RDP) connections. This isn’t surprising, given that hacked RDP servers are a cheap commodity on the underground market and can be an appealing and cost-effective distribution route for threat actors.

Additionally, Phobos is not packed or obfuscated, unlike the majority of malware that is secured by a crypter. Although the absence of packing is not frequent in the general population of malware, it is widespread among malware that is manually distributed by attackers.

Observed Targets Industries

Unlike other gangs that look for medium/enterprise targets, the Phobos team usually go after smaller firms that don’t have the financial wherewithal to pay massive ransoms. Phobos is standard ransomware that offers little in the way of innovation. This gang does not use the double extortion approach. There have been no reports of any underground leak sites linked to it revealing confidential information about its targets. This threat is most likely inserted to influence the victim, capitalizing on worries sparked by other high-profile ransomware attacks.


Yarix Response Team first Engagement

Malware Analysis

The analysis of the binary “ph_decrypt.exe” obtained by YIR (Yarix Incident Response Team) will be divided into various sections distinguishing between static and dynamic.

Static Analysis – ph_decrypt.exe

PE Sections

Static Analysis – PE Sections

The binary has several sections such as “CODE”, “DATA”, “BSS”, “.idata”, “.tls”, “.rdata”, “.reloc” and “.rsrc”; in particular, it is noteworthy that inside “.rsrc” there are two particularly suspicious files given their Magic Signature which leads to an executable file and a Delphi Form.

Proceeding to a more in-depth analysis, it is noted that by exporting the binary resources, several secondary encrypted payloads emerge in addition to the two executables specified above

Static Analysis – RCDATA

From the static analysis it is difficult to understand the true nature of textual resources such as “EX”, “KD”, “TK”, “VR” and “WO” as they appear to be strings encrypted by a matryoshka of different techniques that once decrypted lead to the evidence of payloads encoded with unknown methodologies.

The textual resources are then used by some internal routines for comparative checks during a strange file substitution routine analyzed in the dynamic analysis section.

As for the other resources, their use is as follows:

  • CX Executable created by the malware during its execution and renamed to “.cache_% FILENAME%”, in addition the binary is hidden and flagged as a system file
  • TMAINFORM –> Form of the decryptor written in Delphi and used as a “GUI” for entering the “decrypt keys” provided by the Threat Actor and selecting the UNC paths containing the files to be decrypted
Static Analysis – GUI


Static Analysis – PE file-header

From the header file some useful information related to the nature of the file can be found, such as:

  • Payload has been compiled for 32bit architectures
  • The compiler date is pointing at 19th June 1992
  • Symbols have been stripped from file



Static Analysis – PE explicit imports


From the “Explicit Import Table” the following DLLs imported from the binary during the loading phase are detected: kernel32.dll, user32.dll, advapi32.dll, oleaut32.dll, version.dll, gdi32.dll, ole32.dll, comctl32.dll, shell32.dll, wininet.dll, wsock32.dll, netapi32.dll.

The type of imported DLLs suggests that the binary is not limited to the decryption of files as there are “wsock.dll” and “netapi.dll” for managing sockets, “shell32.dll” for sending commands via shells like “cmd.exe” and many other functions not normally present in ransomware decryptor software.



From the “Function Table” you can see the following functions coming from the DLLs shown in the “import-table” section of this report:

GetCurrentThreadId, SetCurrentDirectoryA, FindFirstFileA, WriteFile, RaiseException, GetKeyboardType, ShellExecuteExA, SHGetFileInfoA, SHFileOperationA, InternetGetConnectedState, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, send, recv, ntohl, ioctlsocket, inet_addr, htons, htonl, connect, closesocket, Netbios, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindClose, ExitProcess, ExitThread, CreateThread, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle, LoadStringA, MessageBoxA, CharNextA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, SysFreeString, SysReAllocStringLen, SysAllocStringLen, VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA, UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt, CreateBindCtx, MkParseDisplayName, CLSIDFromProgID, CLSIDFromString, CoCreateInstance, CoUninitialize, CoInitialize, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

** Malware can load DLLs dynamically (as it does), so many more functions will be available to the payload at runtime



Static Analysis – PE strings

The strings found in the payload provide some information about the resources it will use during its execution or additional information regarding its nature such as:

  • Use of strings recognized and contained in the well-known Sysinternals software “RDCMan.exe”, there are also some resources equal to those of the previously specified software loaded in the payload for obfuscation purposes
Static Analysis – Well Known Strings
  • Insertion of strings useful for establishing remote connections
  • Presence of “.xml” files used to establish persistence through “schtasks.exe”
  • Presence of strings often used by Keyloggers
Static Analysis – Keyboard events strings

Dynamic Analysis – ph_decrypt.exe

Execution Flow

Executing the Decryptor leads immediately to several payloads drop detected in different folders than the one in which the software is currently located.

Dynamic Analysis – Execution Flow

Nevertheless, the dynamic analysis alone does not lead to understanding the true potential of the malware itself, as there are several pre-execution checks in order to hide some features that will be presented in the “Advanced Dynamic Analysis” explained in the next article.

Below is a list of commands executed by the payload to maintain persistence:

  1. exe /C schtasks /QUERY /TN “Google Chrome Helper Update”
  2. schtasks /CREATE /XML “C:\Users\Gigi\AppData\Local\Temp\r4j.xml” /TN “Google Chrome Helper Update”

The execution of the “main binary” triggers after a few seconds a routine that does an environment verification to check the country and language used by the user

Dynamic Analysis – Language Check

in addition to the creation and execution of the following files:

  • “.\.cache_ph_decrypt.exe” –> The real decryptor software
  • “C:\Program Files (x86)\Google Chrome Helper\chromehelper.exe” –> Secondary payload
    • After about a minute of running “.\chromehelper.exe” proceeds with the creation of “.\update.dll” and the folders “.\Log” and “.\Mlog”

At this point the decryptor GUI is invoked and the user can proceed with entering the decryption key and selecting the UNC path to restore.

Dynamic Analysis – Cross References

The research team then analyzed the activity performed by the “chromehelper.exe” payload which is nothing more than a version without the “CX” resource found in “ph_decrypt.exe”, [737KB – 60KB = 677KB]

Dynamic Analysis – Payloads properties

“Chromehelper.exe” as soon as it starts creates a file called “r4j.xml” that will be used almost instantly to set a persistence into the infected machine

Dynamic Analysis – r4j.xml creation

After 30 seconds of starting the PID related to “chromehelper.exe”, two invokes of shell32.dll are detected for the use of cmd.exe in order to establish persistence using windows tasks (schtasks.exe)

Dynamic Analysis – Windows tasks persistences

The payload then checks if a task is already present with the command “cmd.exe / C schtasks / QUERY / TN” Google Chrome Helper Update” and then creates the task if this was not detected by the second command “cmd.exe / C schtasks / CREATE / XML” C: \ Users \ Gigi \ AppData \ Local \ Temp \ r4j.xml” / TN “Google Chrome Helper Update” which this time will use the previously created xml file for the job parameters.

At this point, the scanning phase of the environment begins in search of unspecified information as the activity seems to be aimed at verifying the properties of each file contained in the system

Dynamic Analysis – Scanning Phase

The main event of this phase occurs when a 32-bit executable is enumerated as an internal method is executed that proceeds to replace the original executables by applying a patch that forces the execution of “.cache_% FILENAME% .exe” where the variable “%FILENAME%” takes the value of the original file name

Dynamic Analysis – File substitution routine

Once the files have been replaced, they appear in different ways as for some the icon is also changed to the same one used by the payload and others continue to keep their own as seen in the following snippet

Dynamic Analysis – Files substitution

This patch changes the size of the file and consequently also its hash

Dynamic Analysis – Substituted and original file hash comparison

In the image snippet above you can see how the “Autologon.exe” file got patched even changing the application icon, from the default empty one to the “ComputerScreen”.

This modification consists in the addition of the resources already seen previously in the first payload (CX, EX, KD, TK, TMAINFORM, VR, WO) in addition to the modification of the method with which the executable acts, in order to execute the inserted resources previously

Dynamic Analysis – Resources comparison

The execution of one of the modified binary arises similarly to the first start of “ph_decrypt.exe” a copy of the process executed in the same folder with “system file” and “hidden” properties and the execution of this file injected with “update.dll”.

In the next image you can see a normal execution of a maliciously patched “autologon.exe (Sysinternals)”

Dynamic Analaysis – dll injection

The true purpose of this complex infection is not yet clear, in fact, even after several hours of activity, there are no links to external C&C and/or other relevant activities. Surely this type of persistence and the worm functionality transform the device and potentially all other hosts on the network into ready-to-use bots.




The ph_decrypt.exe file is an executable (PE) with the following hashes:

MD5: 89ca56158e78e180ef2a878a8aa42b1b

SHA1: 31998851095818c24d01117301ca93c4d7ccaca8

SHA256: 5bcc043f2a2b19d8b18837553f17fa6e56c418c6720ccffa083f7469d8b2aa54



The chromehelper.exe file is an executable (PE) with the following hashes:

MD5: ca0b28f42c6c21a79fedaad02ca615b7

SHA1: 0468a398f0ccadbb2db5f70434f6751b3f470c6a

SHA256: fff252ef04d8a313b230bb585de920df9ccd8b5d2f61995eecd45e13e58a7fdd



The cx.exe file is an executable (PE) with the following hashes:

MD5: 0566d73da02ac32ae31dd63ec363fd25

SHA1: b8a4e64aa7ddfa2b3cac6aadf16b17caaafbf4ab

SHA256: 0ed85d779d7ed73e72bbcdfb91cc8334dade8dc3836eb705db53737cfa267177


Prevention & Hunting

Yarix Labs is constantly working to trace APT Groups movements by profiling techniques and attack patterns in order to provide one of the bests Security Services to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.



In the next article YIR Labds will deepen the aspects related to the code hanging from the replaced good files investigating through Advanced Dynamic and Static Analysis all the most gory aspects of this sophisticated malware, of which the main purpose is still obscure.

Stay tuned!


Indicators of compromise

What follows are all the IoCs identified during all malwares analysis done to draft the current article

Data Type Value
File Name ph_decrypt.exe
MD5 89ca56158e78e180ef2a878a8aa42b1b
SHA1 31998851095818c24d01117301ca93c4d7ccaca8
SHA256 5bcc043f2a2b19d8b18837553f17fa6e56c418c6720ccffa083f7469d8b2aa54
File Name chromehelper.exe
MD5 ca0b28f42c6c21a79fedaad02ca615b7
SHA1 0468a398f0ccadbb2db5f70434f6751b3f470c6a
SHA256 fff252ef04d8a313b230bb585de920df9ccd8b5d2f61995eecd45e13e58a7fdd



Name cx.exe
MD5 0566d73da02ac32ae31dd63ec363fd25
SHA1 b8a4e64aa7ddfa2b3cac6aadf16b17caaafbf4ab
SHA256 0ed85d779d7ed73e72bbcdfb91cc8334dade8dc3836eb705db53737cfa267177



Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.


Share this post

Back to Posts