Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-10-2024 00:07
General
-
Target
377ea8e8c63f2b19b07c69492e99f3d8_JaffaCakes118.dll
-
Size
20KB
-
MD5
377ea8e8c63f2b19b07c69492e99f3d8
-
SHA1
dbe31e03e08116a69e435b4e083722a9745e54bc
-
SHA256
27ccf224a002dfa52b238c36b894991ca8f0b40c0741383c56fa4c31dbdd5cba
-
SHA512
c90414add29ad621923d38bdc3464295525ad884e64d9686a092a80e829f35692e1fdadd0e925539c0e0151f476d70860f48cc6a60504243eb3d96190431f87c
-
SSDEEP
384:KGAfHlDSTBkbMlSykOMIPSo0RsClrRjp1Sw6knL7ZcnA6AcIdrVpXsx45Xwpo:SfFAqbMlSykOnN0RsOFp1Sw6oKAjcIdj
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt
magniber
http://e68cc6b058b092c014qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec
http://e68cc6b058b092c014qbvpseec.gosmark.space/qbvpseec
http://e68cc6b058b092c014qbvpseec.ourunit.xyz/qbvpseec
http://e68cc6b058b092c014qbvpseec.topsaid.site/qbvpseec
http://e68cc6b058b092c014qbvpseec.iecard.top/qbvpseec
Signatures
-
Detect magniber ransomware 1 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 10 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 13 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\377ea8e8c63f2b19b07c69492e99f3d8_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd /c "start http://e68cc6b058b092c014qbvpseec.gosmark.space/qbvpseec^&2^&28381314^&80^&363^&12"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://e68cc6b058b092c014qbvpseec.gosmark.space/qbvpseec&2&28381314&80&363&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ea6b26df699f6030db0db38d8226a97c
SHA1e51cf635c65d8fce88b1fe9050ee65092700985b
SHA2562bac091a52e7e40673d0333b1148c4998b014ac987321ecef72377dcffacfa37
SHA512ba372865d15968f88cfb29117415a0aec12b06834b9cae85bea386302d5f4f38e28e308d46ff7d385623b40ec4458ebd041d2994552d4623773d7b2dff52ca6e
-
Filesize
342B
MD504b5faf86dec2869f21eea39cf9daf84
SHA1a5567a3550f54c0a670dd46c531af412e3665101
SHA2566f5a05a6383c6dfc33e19f3263d4578e5549a5d5bc220004a5ea9f55ccf64cd6
SHA512ec67518e717b308974768cd92223614348a52b8c2df77504b11a2e3febc2d4be5d5f17cb0d7a7af27146ddc16000d6aceae9f57e2cad4f5625b06604aca62975
-
Filesize
342B
MD5a3586e37d33a1f99124948016124e7b2
SHA10abcbdfafcebe7acbb9611e064a15a0cf4a12207
SHA256bde8b6f24dfc0270d20a6eb9361e03aaf24120b6ca044cc1f88737cd8298c8b7
SHA512533b698c651d9dd858944724759e62799abdbf0d2be39d219c9b8029581a5fa0c86932d631eed7bcb063771bd90d620299746e87cb5ddb98c3271e377ed81640
-
Filesize
342B
MD52a7780678ce1a48e6c28b8a531e500e8
SHA183d5f8ed609b6e51f62f922e44996c1fdcb88311
SHA256569a900230565334a53fd59f9a1f55537f0e837b34f0bbb4100ec2724ff8e5b7
SHA5129f64cab334942ac9c4eb094265fb7a3441f453cb9e0f2d701b8cf8201f4b07ef8c4e2cb45949ebd7b50e0300ab7114ead11cae35bd5bbe25fae9ec96c90923db
-
Filesize
342B
MD57f1f22c38b0318b5d819e6151f617e8a
SHA1b38c39b59480779756603c807a0980f7e0b46f52
SHA2561ef9cff67f3b5635eec96e8db0fdde14788adc7af573f14d23344cbcceabb4e5
SHA5126fcfb4cf6d093071d950a0ff16c81355348f5de57a8830f75515173f2a5cea7f3950fec753ab840b1bac74def77d99b1d4d0925251fd64527d3b52f205dafac7
-
Filesize
342B
MD5dea0a7f26d906f23f564ea17b21fda1e
SHA143a338c0fe8cedf8e1de1832c07ef800d9199c55
SHA256aeb4f5821e397c22e02c9f43729c2893e51968049554f7e5f91bb2d01c74ae82
SHA512c3c9b8c83689a8968bc844ced04f00bdc1aae7860488dd85a95e00652a9908788f55e33961a4cfa5e270e98ce576660ed376387226f859df43fbaf6634dd3877
-
Filesize
342B
MD517e17c85af913c17fca50bd1d2927dfa
SHA14e694477a70f153abe9832b380a65c07e27195f8
SHA256c699c52a35f40335bd186cdf5b0a724a4fab815d67e642b581797a9dc8064147
SHA512b31095b7e69d9172a9fbbc09142ae93c50b10221a1059d7c174942acb1c47b8fd6ef3b052470038282fd653326fe513c59d550c70b4a87a3cb3db8cc4f939543
-
Filesize
342B
MD58f94f4c9a9f90d30ff4b0baa015c64fe
SHA176d1468d85554af4ac1c736b6d225de2bfb37cfd
SHA25643a365873247b7587660188640433039c920ebc27e0fade0b8d93263924361fa
SHA5124bf171242845929720873ca6ccb7b140c53eb28bd0ee7a59cc28d7d8a50581a5919b56e6811a6748ae9de401e0565e496696d96f089196fa7d4230b39bb8e60f
-
Filesize
342B
MD54a33d7dd9ae8a71317fa93a4c6fbba5e
SHA1bb8cbce45a382ebc2caa86577dcd83928da144b2
SHA256fcdfc9ef147bdaaa73a03763afa868d05aa2909f449f16440456e7acc0fd355c
SHA512661dd805585f0b77c4476d71fec75ace094271018fd3d229b781707504c3ae45702ab83afb7a792b3d8812616376cbb9c0800c96a3e645e447c78e06d7f3de91
-
Filesize
342B
MD524bb8f6a76964233e4dfc3b43b44c7fc
SHA14f08da2c978ad5e473b86147ce01006826c97c5f
SHA2560f539c702e3d7461bb94b7cb1d195e6b6d9e15c88965bc93e0f6b2dbe0bd70e4
SHA5127934786fce2ffaa6d808313ae5c89d423f05c23e343365b6e45bb640052cdab8dbcc4bb4bee39c2222b28032500c8843112f826684372d371ee56b7763660d22
-
Filesize
342B
MD587de5b8d2ed923dd5cf0be4ff578a5da
SHA1be736a0381d41dc8794ca51905d2b4b7d9156663
SHA256c33c61c15754a214dfbf74384b965cdc6552a5cb040638c86854cce73da5f436
SHA512dd6dc4be910bf3de98fe5d6559139dea78db6ac47ed6dd272f301807aa74a4622569996f90fbfb876114076fb761bce86de2fbe62167d5d1560ec9f9c197211c
-
Filesize
342B
MD5df7b41878b8f3de6c06ffb65357591b4
SHA11dfea72bf812c2237b7ec8c5064230bbbb00e9c6
SHA25617a4a7071f07df8d4c4e9c105ad0e05c4e9d146e399a76c9bd0510ecb412367a
SHA51284c99a128e97309af3a0a0d69ce88ae7a9d60b05720f161b223f4a7b43a4ff5a8651cdd6cdf2f03fbd4eb5e25ff5d2ed3792b5a31912e7d37c16e529bab2ec1f
-
Filesize
342B
MD5d3cdfe938c95291b6d5ff03b263418af
SHA1e4b7ee496cd1882deb532ee7c09e92cdfbdf683d
SHA2564ff616a77210cc173b9e125b54ab15937e5db9c74da249036fd15ec2860f0f37
SHA512027b155984bdae4f40b61b5b5bae35f07ae3565a061a31b7d7a4a198253e3d6de4ba6670f1a5b3af6cc118e5a3deba5e1f1d2a9edcf3169c19ee755a120012d0
-
Filesize
342B
MD545bf80572bd04273d1ee61ca3d9ca86f
SHA1bbf39a5169304225a102d91d75c73dd7647295c5
SHA25605e7bed47ee94585b34147245d52d89f545ac2c3ff0df8ad46a91317a4a0b47f
SHA512bd857f697a16eabd4a07492d618dc689a331604e26d25b940790ddffe0751c640e87ee77e205008adbe76553703951d3176bb8b0e7de73c4b827a58e1e7a50ce
-
Filesize
342B
MD52f5905b148eae38e15b7c518798e2462
SHA1607a5bcbde8c9a2e4a89f1dfc1ac9e54aa6d240a
SHA25632257ec11b67c212ed3f2609d31183f9e940a31a9967d010287f1b5be674d6de
SHA5122b7db4c4007139929ad080cbde0b1ba57cf479d4c1ee1d8da5736527b751975e1bd4fba2c9c409532711e841b58ca90f7717214e249adbb399a08c801e5d59e6
-
Filesize
342B
MD50e3ea56c14b1bd397a87d01fc254c3fe
SHA1dcbf1db5b7696c407b3bdca0945d8d0626159f9a
SHA256dc1132d0c888569210bdd1a5a924431e6daa84d558c1efbfedb92f0fbdb2c8a3
SHA512bc88edb457850ade6a0ebe9be70f06e51cac9a39184e075ebc8a2ff0a342a695735c6c91bddabf44c0a09f64b079a7a5e00082c57b6033006f1431dbd04810c6
-
Filesize
342B
MD52e89501746b5f962accd948eb2c24b08
SHA1ab92e22bb1ffd7d79ba92c05804c75dcd69bc4d7
SHA256f89e31cebea6d1d5634443ba9a54f9a4167d3667c1b51fa5d2c4ce65c62fb952
SHA5129df88db7432183964e65dc3273d3797eb27fa61f28d3ad6e677aa01345ef83a5c1a517c7c12758d9ab0e1358b7ff67dd03dfe7b60f4ea7dbe176aa65baff2203
-
Filesize
342B
MD516e5f81004bcdde5e101f197fbdd29cf
SHA188b50eaa6f77f8a230b0adef47428cabebca96db
SHA256748446db598df81b42454bf50784e146e672c27257ecf7975fbb5dd7e3040308
SHA51230113b24ef42d0836d7f65c7f2d720723557d47f29dff1c3b092db40e7c66f470e0729e52acf51e025271b4c15b15dfc375dd7b6f8dafa48e487f5454485cc6b
-
Filesize
342B
MD505b11c99bac72f888584e8caf24d931f
SHA1ee73629370d7e519b683ad5b5e2c5a729710d81d
SHA256ef16bc4d8119b0a99ccd4585110b7075f154feb408a2c344170012fa126c5c0b
SHA51288091a757c4410191ee746efd89908c3bb1e414d01ae0e19db751536f942f3c53e69f8e436a7d4604bfb4dbf9f3d385739ca131782fc46022e17d80cef60aaa3
-
Filesize
342B
MD57ca357f30040657e91d2b21b702aa67d
SHA1e6b1d294c90edf0978a7e908c339541555e3d6a3
SHA25646ad021ddf157b2956a7100923a6bb9785f08b425f473572235d7c9810e06d2f
SHA51214b9a674e6a98b165a065f3d226552f72a77ff0aa669e8bbc3603dfa1abbab59aa109e9b6125f83c3ce96258012a793db420a3ccd646aa90dfcf7cec621eedae
-
Filesize
342B
MD568ef63a5e01cbea61c18b377f3b48841
SHA10365b1bc5e9e11e4071051c68af2be383c18b972
SHA256ec780870a7d71d0c7e412d151d89e53b28511c3ff59ad47b8dca9773c116949a
SHA512f553e9009ef9dba5b20e2c50c5c11e89488a98ff7ea9361fdd72d3af836c3da5503be16af38c98527e9bebcbd4c3f9d561e3cc96479a2080dd0d2dff216cbfe0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD521718a759cdde8aa7a0b9f626805a415
SHA14522ffd2cef4f64fc7edb39bdae8b92f5a900f04
SHA2567dc86d9082a60741c05004c491d9f32add2bc23aee3ce9bdbe378c044554c6df
SHA5122cdd7fede38493911e89426e3f59ce6df24bcc8f13a896e3bdcd99ec51857c57068b738d17fb233e1b81afb67e6e1d9e045c895b8954be6521ceb9da602138e5
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
20KB