Analysis
-
max time kernel
120s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
05-12-2024 10:45
General
-
Target
c752934305e1b89f82798ea2c26f70b3_JaffaCakes118.dll
-
Size
20KB
-
MD5
c752934305e1b89f82798ea2c26f70b3
-
SHA1
d5034027ea79146d7597542d0b9ae040ec632e18
-
SHA256
20e29bfcd2d3372af66eec996bcbc0babbeb8bc36b6a3edcd3afc70782aaea2e
-
SHA512
ad52c0b638770999fa9de9242161e3d8b30cfa9a66ce34d6dc870b47cf1a9479a76ea04b556affddcfbdb8bf229e488a9fb2a3c5d225df58cdb467c57c2ed179
-
SSDEEP
384:ebYQedPt/jViMyZXH8N2hjpzge669ZrzGYzPbJBn9JTpXJYDd4Pm3ixs0xsSBB/q:UYtNt74f62hjN79B9Jh9J1+DaP2gBhb
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt
magniber
http://f498ace85800dc40daditeiyb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/diteiyb
http://f498ace85800dc40daditeiyb.topsaid.site/diteiyb
http://f498ace85800dc40daditeiyb.gosmark.space/diteiyb
http://f498ace85800dc40daditeiyb.iecard.top/diteiyb
http://f498ace85800dc40daditeiyb.ourunit.xyz/diteiyb
Signatures
-
Detect magniber ransomware 1 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Magniber family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 10 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 13 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c752934305e1b89f82798ea2c26f70b3_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
-
C:\Windows\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd /c "start http://f498ace85800dc40daditeiyb.topsaid.site/diteiyb^&2^&38246732^&93^&405^&12"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://f498ace85800dc40daditeiyb.topsaid.site/diteiyb&2&38246732&93&405&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops desktop.ini file(s)
- Modifies registry class
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD514265faa6c0b165b8e201d5129dc20f7
SHA1e5ae4c366d3e1b5225f260b8d67ddeb18c4f8a68
SHA256c9c80d323b3d78afc7e237a2d84474b5304509bfef6043563b03a934e950435f
SHA5121e93a885553e16d44165651af8452fe3965d5892e6c6dd1f4318cd62efaeb03016e7a977a31c1daf4646dd04e31ca6880409b0e6f6328b30507705f09de65ba7
-
Filesize
342B
MD595fc4f6823b883525efd4f5fd89cce0a
SHA12445ff79beb4ec49507ee552029433d3f9729bb8
SHA25607de3613817d3b232c4cfbf113cfb3bee99e895d450fbc8d6a8ca48c0a4e604c
SHA5124e868571dc618936f85ca75386b6fe583f05c03855960e3b9e170a1605efc0ea83e1efd4383ebcdc53f702ebb0db19b206fd473654bc72ff3496a45a0a997d74
-
Filesize
342B
MD5f32323fae3c2898741d9ebc154bcff1d
SHA1db68328a1b1cc1c3eae4d9b5845c69f56768f65f
SHA25648944175f8d83cfe59ef0abadbcca9999b37859ae77cc9ad1b448c4b553659fe
SHA512a7540eae79126b71a39a3fa81976d984ef2f7cb92439085c47d08e2500194ad3b77964d37579743f591bd8c1cfaef1e68ae340385f51fc32f5cabb0ee7faf7ad
-
Filesize
342B
MD501ffb49e06d9cbde4d5c9af0948b7689
SHA1105c12630b30d75c0874557598e1b513d8e86ebc
SHA256bd7b4f644caa2eae594ce42cfad8acaa31a1109fd0b3e2d1049ab0a158da470d
SHA51220990b75618446c6b446067328b95a8aa677365fe852aed142fe43198f4a3335c9e34d03df967d8372bab1e06976b59d7d883993be81647ffd866969b57e36a9
-
Filesize
342B
MD56ea2dad8a36a8b612868a412b1159e62
SHA13fc30aab213fd8c61fcc8eb158910e48ecba528a
SHA2564ba2487d421bfc1259fd2c66bb8fd9193700a2668f616b06c0cc790edeb2ede6
SHA5122cd82c73eaa50d9c8caa02238fc2a2a180d46262fa6602f11ab9fed49fe3168c66e783d198c2cbcce49f3306e30745efd2e634ec71f865bfa9557bf683a049e8
-
Filesize
342B
MD52ec3238d42140ce86ca272dc58cb57f3
SHA169c2473bb4dca1edc97ebeb2b5b2e5cea40c94a5
SHA2566419ebd6a80c656b5fa2a01323338a9ed86d74f6fa6cf6c56e577b72f9f55c32
SHA512b62d16af38097c7ab6f99fed1f1d3b1892e0f47ff183de8cb54dc81d9918be65e0d734faedd53a2ef9e7946f411a6d76d19414a6ecbd2985bb7d94584ed13282
-
Filesize
342B
MD51c88b24a1cc2c4bd187c27e9ed1d90d6
SHA15db5cdeabf6fcde26fe942b93c460cb001d461db
SHA256d6e93a68ecdaad4377378f01b0ae41415d845442d2cca24173fb7cfcf5ed2e79
SHA512526533cec09d36b45058bc3683cb9ff6fab9115f9492b46644778998b85cd2cd466e5af0eb0d7fe8c53fe8eb5e989502d592c2aec0c551692b91591840b6b008
-
Filesize
342B
MD560b261c401e4285b6d9bbe0e946028e1
SHA18320f63ac7a6869fb0ee953b8c0d376f27c80255
SHA2567510f90d2c692f3e69293a73731be12437c8ccad0d1467102682d48ebe2b5090
SHA5121dc7b3fda0937e8ea8d5c88b978bf9ebbff766acc71bd4e5010d113e8deeec8fb310ad6c42cee1c9160c828d7aa09b0365717909b7151560c50daf36bbae6173
-
Filesize
342B
MD58957ca7dc380e31dca817171e11ad422
SHA11f16c5eac4d922d8e71fa9adc7131c0190816a9c
SHA256fac92382cf3640ad0720e766da26ab125b7f822a6efe1fe7823f67c716cdea4b
SHA512d87296ea41ab6e2dcfcb77ba97944dd6f9082ba2a3f839c9afee0268d3d595d1b181de314f42264031d9157bc63f1425e7d244cadd4a0fc5a1ba0a6b694c868d
-
Filesize
342B
MD5ef06d3d9f73df2ef99b2b62c46d23324
SHA13179b1ef268e698f133f9c0ea6a0d98af00ed36d
SHA2560d227c164ce65f59cf6207168d67577e46b98f59b1ae6a62167b718dcf5e2240
SHA51260fd7c57676876d1726881393906b0cc71798b7955ebf04e64685720b8057a94b7f7297c1e5be00af208c658a1b9dbc961d6d36511b412924f4a652b9118438c
-
Filesize
342B
MD527d56cb878bcb14add600eb1bdf9d2ff
SHA1ab64e689f2f21bfcbafe1a56d4cc6814ff9d69dd
SHA25648b912b2995ce33eaf80df2b6912d654a47be8387afb36bd5f4896145309f30a
SHA5121fc0b3a73a23cd0c830ba71c00b2ea931028fe14e918c2ab091f4366146929d1966a7d0e4e8e84be9697ebe7f1b91f78eb327d9a96404d38738d4dcf47a8bec9
-
Filesize
342B
MD5454faccd17bf24bd0010565dcc7be13a
SHA1a3ca6a3c7b6339eabbed221d12756361fbc0be46
SHA2568d7972fa1995fba5291876bed57063b010b130fef6c9ff9c9fcdf800531c819b
SHA5129da6c2210bacf732498f2bc1ac5203b90a0fe014a5e93a8c9498f74292dc1b3f7e0647ef93c359d622a88a159688c787395305d1bd15355b81e6090f6a37e06b
-
Filesize
342B
MD5616500c067bb434d6ec4b5765501d955
SHA1ff930e69454f4029f990ae439bb821333f7a0aba
SHA256bdd4b3afa2f2d27166398ffa04713872eb2662b5379a7e0bd9c83e45e9eb9c0e
SHA5124a80f11b4a07a7965eadcf5777adf85614e629ca3d8cfbce8855226c1f65dfde585a2bdf4215c577e0ea8b570c26441d8aa2b4b9b34ad30dc5127d2ffbac526f
-
Filesize
342B
MD539b29b600153b22dbfcfc756b9881ff3
SHA1936da847998a92a853ff413568db831ffd47753d
SHA256b74c92409f7cf2c8c1301b96fcaff8069536108e8e259f169fb6bc2914992a22
SHA5121978ab6bd9c0b17c0bfad41146e32c96a08cc3b693e925a26b70851f36fd12c331863db3819761f8b3fd1243b39eab3ad0276699c99305f098b767e8e1d0edaf
-
Filesize
342B
MD50c313607a3dc9ee6a72010389474aedb
SHA16808d53bd9fe2817a7e96fc99575aadb8bf5baef
SHA256848bc2864c38c0a9d68eb8294d1d0cf57c797d32990ba1dbe8121e11fd8bd9f3
SHA5123cee1d23aed0c2d54fdcb87eebbcf16c84cce169991b2af6aea8e2297841a163e0ec60ff0fcb02231da840cc6548ae5da810349db11f0039071b13e0126cab73
-
Filesize
342B
MD5278343698724c2bc83aa1b47df0a4afa
SHA10b96ccec932a0479ec8b2534913e8c3cc6a9f994
SHA256b93f4ae736b953147f63796dcdda63c9c8f14d97690c4ce5bb0bab2bc7fa4305
SHA5125a47316fb486dd377ad02e4d069ba4a06827eb578d95e91f1dcb7f4104103c09e9191ab90d8fd3f78228edf3b362e299e4125628e01b1b8918e2f16bef86d567
-
Filesize
342B
MD55a196faa146a87bc68cb41f64afb4658
SHA11290a17cfef6b0595cd19006c159eff15d937dd1
SHA256285fb93409e83dc2339fb9547ff578f75b3a62329c24cc94678ea19a2569480c
SHA5122f416a54a5bda3f8c28539b3d69feb740755da1ecd504ebb2f5f64ca6f3846dfd05bc792ddc4b71392f779aead9b433b4a5f92bed9274ccdf415b1f9e0970859
-
Filesize
342B
MD5798b232265c15fad76b5e1bf7376a880
SHA1f3e573016ba9876b1051bcf405476922b7751452
SHA25630537779df1c7c9066a3bb39e6ff859b150fa0b29438292236a3c039ae2ce75d
SHA512899078c3c511675e9155e8cd3fa70a6006fbaca3190553b02078732d0fdfc658b2ed0ffd8151431d9b7ab582a65c64f5b7f23ed0d8778abd04734109cd8ada59
-
Filesize
342B
MD50d0737c7814266fa64e86e618fdc3871
SHA13670e1c2dfb36a95ba638df2b4c3b6fc8c56a922
SHA256cc4d6fc7a91bbeb172c6a168f47e86daf4f255cbb2da1bf900387c09632a01a2
SHA5120b87bebccd414419ca251fe55cedac0b96b23c2644698a5c7c1702e63aa7ad2fd4fcd638f0b79ae001f0d9061d964ba1966f4b555a73860f61a9bb76f6f2bc44
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5cf6c0897802ebdb0a67c2fa5a478a570
SHA176a1374865972151672cc8be0bcb84d290a204bf
SHA2561c706f882543ab94da63b6181500d7d8296ab241df4aca9a3c0750a9fe30f8aa
SHA512c197446faa6005bb2bba2f5382703e408715d4b0929ccf93ea26f9716b9a21edb184c2353e0676b8c2bb87fba4c980499826195e6ed6b8ba7e398c1e05926a22
-
Filesize
20KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
2.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB