Skip to content
Phobos Ransomware Analysis
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
pic Update Mar 28, 2019 Add files via upload Mar 31, 2019 Add files via upload Mar 27, 2019

Phobos Analysis

Phobos Ransomware Analysis

Password for --> "infected"

Update :

Apparently this phobos variant searches for C:\k.txt to extract its TEA key so it can decrypt its full payload.


img (closer look)

Take a look at the breakpoint in the above img, if the content of k.txt isn't right the CMP instruction will compare the 4 bytes in SS:[EBP-8] with the 4-byte integer constant 10. this memory adress contains:


so on the JNZ instruction we will jump and get TerminateProcess, lets patch it and continue.




As you can see the malware scrumble the file before deleting it so recovering k.txt is probably impossible.

#If someone holds both the malware and the key please share it!

You can’t perform that action at this time.