Advanced Phobia

Back to Posts

Advanced Phobia

Reading Time: 8 minutes

Ransomware Gang Details

Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses.

Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him.

Phobos is a ransomware infection that spreads through hijacked Remote Desktop (RDP) connections. This isn’t surprising, given that hacked RDP servers are a cheap commodity on the underground market and can be an appealing and cost-effective distribution route for threat actors.

Additionally, Phobos is not packed or obfuscated, unlike the majority of malware which is secured by a crypter. Although the absence of packing is not frequent in the general population of malware, it is widespread among malware that is manually distributed by attackers.

Observed Targets Industries

Unlike other gangs that look for medium/enterprise targets, Phobos team usually go after smaller firms that don’t have the financial wherewithal to pay massive ransoms. Phobos is standard ransomware that offers little in innovation. They do not use the double extortion approach, indeed there have been no reports of any underground leak sites revealing confidential information about their targets. This threat is most likely inserted to influence the victim, capitalizing on worries sparked by other high-profile ransomware attacks.





Yarix Response Team First Engagement

Yarix’s Research Labs (YLABS) in a previous blog post called “Phobia” has analyzed a specific binary related to Phobos ransomware to check if it does only decrypt the data encrypted by it; as expected the payload turned out to be a funny one, full of insidious functionalities that can be seen only through advanced techniques.

In this article the task is to pick up where it has been left off in the previous post, uncovering what still remains obscure.

Now let’s dive into it!



Malware Analysis

The analysis of the malware found by the YIR team (Yarix Incident Response Team) has been divided in two articles, you can find the first part that comprehend “Static” and “Dynamic” analysis by clicking HERE.

If you already read the first article and want to dive into the “nerdy stuff”, keep reading.

Advanced Dynamic Analysis (Functions Walkthrough)

Anti-Debugging Function

After the execution started and some code has already been executed the payload starts to look for injected code or debuggers through a dedicated function that has been highlighted with the “DEBUGGER AWARE FUNCTION” comment as you can see in the screenshot below

Advanced Dynamic Analysis – Anti-Debugging & Code Injection Function

To avoid that check the binary has been patched with a “jmp” instruction to the next code section.

Keyboard Language Detection Routine

As we know, every advanced malware always does some checks on the infected target’s environment. Also in this case some nice Keyboard Language Checks could not be missing in order to determine the origin of the infected host; following screenshots show some of the methods that have been found during debugging activities

Advanced Dynamic Analysis – GetKeyboardType

GetKeyboardType call as the name says, gets some informations about the keyboard layout and settings

Dynamic Analysis – language value check (Reg – HKCU)

Some checks in the registry were made in the current user hive to retrieve additional informations about utilized Keyboard

Advanced Dynamic Analysis – language value check (Reg – HKLM)

Additionally, the following strings has been found inside the binary


Anyway, those charsets strings have never been compared during the observed malware execution. However many advanced malware samples utilize “noise” code and functions just to misdirect payload’s debugging; so the analysts gets to follow rabbit holes that make analysis longer in terms of time and harder to comprehend.



File Patching Routine

During debugging and reverse engineering operations many hidden functions have been highlighted by the defenses implemented to protect them like infinite loop functions and methods that throw an exception if certain conditions are not met during execution. One of these “Hidden Routines” is the “File Patching Routine” that basically takes a x86 Binary and appends two payloads inside it, effectively creating a matryoshka where the malware from that moment on will puppet the execution of the real infected file.

Let’s see how it works step by step!

The biggest portion of the malicious code resides on top of the file meanwhile the second one closes the original binary with some uncommon B64 artifacts

Advanced Dynamic Analysis – Patched file structure

Looking at the process with a common “Process Monitor” like sysinternal’s one we can see how it takes the current binary that has to be patched, moves it into temp, applies the patches and then it proceed by copying it in the original location

Advanced Dynamic Analysis – Process Monitor File Patching routine

The function that does this dirty work is located deep inside the malware routines and it is referenced with a “7-zip” string.

Advanced Dynamic Analysis – Decompression RoutineOnce the method has gone through all the instructions, we can finally appreciate the “top” payload come to light

Advanced Dynamic Analysis – “Top” Payload

And in the same manner the one that goes at the end of the infected file gets injected into the (at this point) infected binary.

Advanced Dynamic Analysis – Infected file structure differences

It’s not hard at this point to see the differences from a good binary and an infected one, below are the changes that are made by the whole file patching routine:

  • Malicious resources are being copied from the infecting payload to the patched one
    • “CX” is the actual Phobos Ransomware decryption tool
Advanced Dynamic Analysis – “CX” Resource (Ransomware Decryptor)
  • Original file icon changes with the one that resides on the infecting payload
Advanced Dynamic Analysis –  Icon Change
  • General file size change (+ 678 KB)
Advanced Dynamic Analysis – Infected file dissection

After a few seconds of execution, the result is an infection distributed on most 32-bit binaries

Advanced Dynamic Analysis – Temporary files

Hidden RAT Drop

One of the core functions takes care to drop an executable called “chromehelper.exe” by extracting it from the malware initial payload; this binary, once executed, creates two folders called respectively “Mlog” and “Log” together with a file called “update.dll”

Advanced Dynamic Analysis – Segment of RAT components deployment routine


Advanced Dynamic Analysis – RAT environment establishment

From now on “chromehelper.exe” will hook on pretty much all processes the user uses to gather information about what is happening and executing every time the user boots his device thanks to a windows task created after a super-fast PID change (common AV evasion technique)

Advanced Dynamic Analysis – Google Chrome Helper task

By watching the queried paths a file took our attention under “C:\Program Files (x86)\Google Chrome Helper\Log\%DDMMYY%”, probably a support file for data exfiltration


Advanced Dynamic Analysis – File Events (chromehelper.exe)

During dynamic analyses, a rapid in-memory data storage activity triggered by user interaction is detected, this activity takes care to create the “YYMMDD” file inside “Log” directory, as you can see in the screenshot above.

YLABS even after getting a full comprehension of the malware functionalities by reversing and debugging it in various ways kept the process alive for some hours without luck.

In fact no C2 communication nor interesting activity was seen, although, thanks to all the other analysis methods we utilized it is easy to say with enough confidence that this (now) unactive payload once upon a time was an active Remote Access Tool utilized by attackers to keep a secret access to the decrypted infrastructure.





The ph_decrypt.exe file is an executable (PE) with the following hashes:

MD5: 89ca56158e78e180ef2a878a8aa42b1b

SHA1: 31998851095818c24d01117301ca93c4d7ccaca8

SHA256: 5bcc043f2a2b19d8b18837553f17fa6e56c418c6720ccffa083f7469d8b2aa54



The chromehelper.exe file is an executable (PE) with the following hashes:

MD5: ca0b28f42c6c21a79fedaad02ca615b7

SHA1: 0468a398f0ccadbb2db5f70434f6751b3f470c6a

SHA256: fff252ef04d8a313b230bb585de920df9ccd8b5d2f61995eecd45e13e58a7fdd



Il file update.dll è un file Dynamic Link Library (DLL) con i seguenti hash:

MD5: aaec25e4932912e9327696fcf44a513e

SHA1: 51b5bb58cf195cc7fa781d53a4883c948c339d41

SHA256: f8023d85a9923810247feb245a0257bee3aa507f316bcca443bb4411637713b1



The “Upper_Injection” code is an executable (PE-Win32) with the following hashes:

MD5: 4f64bdbd3c952fa51ab26c346c523802

SHA1: 5b6b6841ac526007459d4cf9c1595813fae6ce9d

SHA256: 5b29b069d126dbd05c50ca2e09bc59757644ed1052f10b2d8af5eeed9d8cbfb4



The “Lower_Injection” code is a bunch of code with the following hashes:

MD5: 349dd0abd39571658d616e41363ccd0d

SHA1: aa163345dedfcd3ccc3420fca33fff18bc117bd6

SHA256: 5b01064b5e620ba9a0c9738b67dec0c984ecc1c8ab8e270975779ca2fac02876











Prevention & Hunting

Yarix Labs is constantly working to trace APT Groups movements by profiling their techniques and attack patterns to provide one of the bests Security Service to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.






Indicators of compromise

What follows are all the IoCs identified during all malwares analysis done to draft the current article


Data Type Value
File Name ph_decrypt.exe
MD5 89ca56158e78e180ef2a878a8aa42b1b
SHA1 31998851095818c24d01117301ca93c4d7ccaca8
SHA256 5bcc043f2a2b19d8b18837553f17fa6e56c418c6720ccffa083f7469d8b2aa54
File Name chromehelper.exe
MD5 ca0b28f42c6c21a79fedaad02ca615b7
SHA1 0468a398f0ccadbb2db5f70434f6751b3f470c6a
SHA256 fff252ef04d8a313b230bb585de920df9ccd8b5d2f61995eecd45e13e58a7fdd



Name cx.exe (malware resource)
MD5 0566d73da02ac32ae31dd63ec363fd25
SHA1 b8a4e64aa7ddfa2b3cac6aadf16b17caaafbf4ab
SHA256 0ed85d779d7ed73e72bbcdfb91cc8334dade8dc3836eb705db53737cfa267177



Name Update.dll
MD5 aaec25e4932912e9327696fcf44a513e
SHA1 51b5bb58cf195cc7fa781d53a4883c948c339d41
SHA256 f8023d85a9923810247feb245a0257bee3aa507f316bcca443bb4411637713b1



Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.


Share this post

Back to Posts