Overview

overview

10

Static

static

3

cb0261d9a3...18.dll

windows7-x64

10

cb0261d9a3...18.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118

  • Size

    20KB

  • Sample

    241206-eywkmszmc1

  • MD5

    cb0261d9a3e77ffecdb51914b3690f18

  • SHA1

    9f2604c82b06cc7b74f354afa8daebec9e66fb83

  • SHA256

    b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9

  • SHA512

    8ad0761d452013f47a1805360057dec90c1016c76c80781e8420a4f29824687b0b396031521192d291055f125c96a87100cbe931d682b40e6e9edcb6acd39364

  • SSDEEP

    384:JV0mpLDSVriGcs3QhglYdOKgnoRoeo//HRpADW8qw4yyydir9r/WX7BBunmoFYfY:JyWLWVriGu6Yw7noRK/HRpADV4yysi5e

Score
10/10
magniberdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://34c06a48a400dc40fcuahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb http://34c06a48a400dc40fcuahnpdvb.topsaid.site/uahnpdvb http://34c06a48a400dc40fcuahnpdvb.ourunit.xyz/uahnpdvb http://34c06a48a400dc40fcuahnpdvb.gosmark.space/uahnpdvb Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://34c06a48a400dc40fcuahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.topsaid.site/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.ourunit.xyz/uahnpdvb

http://34c06a48a400dc40fcuahnpdvb.gosmark.space/uahnpdvb

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://78800e98f0cc24503uahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb http://78800e98f0cc24503uahnpdvb.topsaid.site/uahnpdvb http://78800e98f0cc24503uahnpdvb.ourunit.xyz/uahnpdvb http://78800e98f0cc24503uahnpdvb.gosmark.space/uahnpdvb Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://78800e98f0cc24503uahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb

http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb

http://78800e98f0cc24503uahnpdvb.topsaid.site/uahnpdvb

http://78800e98f0cc24503uahnpdvb.ourunit.xyz/uahnpdvb

http://78800e98f0cc24503uahnpdvb.gosmark.space/uahnpdvb

Targets

    • Target

      cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118

    • Size

      20KB

    • MD5

      cb0261d9a3e77ffecdb51914b3690f18

    • SHA1

      9f2604c82b06cc7b74f354afa8daebec9e66fb83

    • SHA256

      b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9

    • SHA512

      8ad0761d452013f47a1805360057dec90c1016c76c80781e8420a4f29824687b0b396031521192d291055f125c96a87100cbe931d682b40e6e9edcb6acd39364

    • SSDEEP

      384:JV0mpLDSVriGcs3QhglYdOKgnoRoeo//HRpADW8qw4yyydir9r/WX7BBunmoFYfY:JyWLWVriGu6Yw7noRK/HRpADV4yysi5e

    Score
    10/10
    magniberdefense_evasiondiscoveryexecutionimpactransomware

    • Detect magniber ransomware

    • Magniber Ransomware

      Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

      ransomwaremagniber

    • Magniber family

      magniber

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (83) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks