RANSOM_MAGNIBER.R

August 23, 2018

Analysis by: Carl Maverick Pascual

ALIASES:

Ransom:Win32/Magniber (Microsoft) ; Trojan-Ransom.Win32.Magni.bdl (Kaspersky)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Ransomware
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

TECHNICAL DETAILS

File Size: 35,328 bytes

File Type: DLL

Memory Resident: Yes

Initial Samples Received Date: 17 Jul 2018

Payload: Encrypts files, , Displays message/message boxes, Drops files

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

%System Root%\Users\Public\README.txt
{Encrypted Directory}\README.txt

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It adds the following processes:

notepad.exe
pcalua.exe -a http://h5wooy802ia4669395d.fitmuch.pw/3123dyaaghemy -> Displays the payment options
pcalua.exe -a eventvwr.exe -> Elevate UAC settings to HIGH
"%System%\notepad.exe" %System Root%\Users\Public\README.txt -> Display Ransom Note
"cmd.exe" /c "%System%\wbem\wmic shadowcopy delete" -> Delete backup images/shadowcopies

It injects itself into the following processes running in the affected system's memory:

notepad.exe (added process)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

dyaaghemy

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_USERS\{SID}_CLASSES\mscfile\
shell\open\command
= cmd.exe /c "%SystemRoot%\system32\wbem\wmic shadowcopy delete"

Other Details

This Ransomware does the following:

It will only proceed to its ransomware routine if the installed Language Setting is one of the following:
- Chinese - Macau SAR
- Chinese - China
- Chinese - Singapore
- Chinese - Taiwan
- Korean
- Malay - Brunei
- Malay - Malaysia

Ransomware Routine

This Ransomware encrypts files with the following extensions:

doc
docx
xls
xlsx
ppt
pptx
pst
ost
msg
em
vsd
vsdx
csv
rtf
wks
pdf
dwg
snt
gkn
docm
dot
dotm
dotx
xlsm
xlsb
xlw
xlt
xlm
xlc
xltx
xltm
pptm
pot
pps
ppsm
ppsx
ppam
potx
potm
edb
hwp
sxi
sti
sldx
sldm
vdi
vmx
gpg
aes
raw
cgm
nef
psd
ai
svg
djvu
sh
class
jar
java
rb
asp
php
jsp
brd
sch
dch
dip
p
vb
vbs
js
asm
h
pas
cpp
c
cs
suo
sln
ldf
mdf
ibd
myi
myd
frm
odb
dbf
db
mdb
accdb
sq
asc
lay
mm
sxm
otg
odg
uop
std
sxd
otp
odp
slk
dif
stc
sxc
ots
ods
max
uot
stw
sxw
ott
odt
pem
csr
crt
key
pfx
der
cd
arw
jpe
eq
adp
odm
dbc
frx
dbs
pds
pdt
dt
cf
cfu
mx
epf
kdbx
erf
vrp
grs
geo
st
pff
mft
efd
rib
ma
lwo
lws
mb
obj
x
fbx
dgn
abs
adn
aft
ahd
alf
ask
awdb
ba*
bdb
bib
bnd
bok
btr
cdb
ckp
clkw
cma
crd
dad
daf
dbk
dbt
dbv
dbx
dcb
dct
dcx
dd
dmo
dnc
dqy
dsk
dsn
dta
dtsx
eco
ecx
emd
fcd
fic
fid
fi
fo
fpt
g*b
g*v
gdb
gwi
hdb
his
ib
idc
ihx
itdb
itw
jtx
kdb
lgc
maq
mdn
mdt
mrg
mud
mwb
ndf
nsf
nyf
oce
oqy
ora
orx
owc
owg
oyx
pan
pdb
pdm
phm
po*
pth
pwa
qpx
qry
qvd
rctd
rdb
rpd
rsd
sbf
sdb
sdf
spq
sqb
stp
str
tcx
tdt
te
tmd
trm
udb
usr
vdb
vpd
wdb
wmdb
xdb
xld
xlgc
a*db
a*dc
cdr
abw
act
aim
ans
apt
ase
aty
awp
awt
aww
bad
bbs
bdp
bdr
bean
bna
boc
btd
cnm
crw
cyi
dca
dgs
dj*
dne
dod*
dsv
dvi
eio
eit
emlx
epp
err
etf
etx
euc
faq
fb
fcf
fdf
fdr
fds
fdt
fdx
fdxt
fes
fft
flr
fodt
gtp
frt
fwdn
fxc
gdoc
gio
gpn
gsd
gthr
gv
hbk
hht
hs
htc
i*
idx
ii
ipf
jis
joe
jrtf
kes
klg
knt
kon
kwd
lbt
lis
lit
lnt
lrc
lst
ltr
ltx
lue
luf
lwp
lyt
lyx
man
map
mbox
me
mel
min
mnt
mwp
nfo
njx
now
o*b
ocr
odo
of
oft
ort
pfs
pjt
prt
psw
pu
pvj
pvm
pwi
pwr
qd
rad
rft
ris
rng
rpt
rst
rt
rtd
rtx
run
s*k
s*n
saf
sam
scc
scm
sct
scw
sdm
sdoc
sdw
sgm
sig
sla
sls
smf
sms
ssa
sty
sub
sxg
tab
tdf
tex
text
thp
tlb
tm
tmv
tmx
tpc
tvj
unx
uof
upd
utxt
vct
vnt
vw
wbk
wcf
wh*
wn
wpa
wpd
wps
wpt
wpw
wri
wsc
wsd
wsh
wtx
xd
xlf
xps
xwp
xyp
xyw
ybk
ym
a*abw
a*w
abm
afx
agif
agp
aic
albm
apd
apm
apng
aps
apx
art
asw
bay
bmx
brk
brn
brt
bss
bti
ca
cals
can
cdc
cdg
cimg
cin
cit
com*
cpc
cpd
cpg
cps
cpx
ct
dcr
dds
dgt
dib
djv
dmi
vue
dpx
wire
ds*
dtw
dv
ecw
eip
exr
fa
fax
fpos
fpx
gcdp
gfb
gfie
ggr
gih
gim
spr
scad
gpd
gro
grob
hdp
hdr
hpi
icn
icon
icpr
iiq
info
ipx
iwi
j
jas
jbig
jbmp
jbr
jfif
jia
jng
jps
jpx
jtf
jw
jxr
kdc
kdi
kdk
kic
kpg
lbm
ljp
mac
mbm
mef
mnr
mos
mpf
mpo
mrxs
my
ncr
nct
nlm
nrw
oci
omf
oplc
asy
cdmm
cdmt
cdn*
cdt
cmx
cnv
csy
cvg
cvi
cvs
cvx
cwt
cxf
dcs
ded
dhs
dpp
drw
dxb
dxf
egc
emf
ep
eps
epsf
fif
fig
fmv
ftn
fxg
gem
glox
hp
idea
igt
igx
imd
ink
lmk
mgcb
mgmf
mgmt
mgmx
mgtx
mmat
mat
ovp
ovr
pcs
pfv
plt
vrm
pobj
psid
rd
scv
ssk
stn
svf
svh*
tlc
tne
ufr
vbr
vec
vm
vsdm
vstm
stm
vstx
wpg
vsm
xar
ya
orf
ota
oti
p*b
p*j
p*t
pa
pano
pap
pbm
pcd
pdd
pef
pfi
pgf
pgm
pic
pict
pix
pjpg
pm
pmg
pni
pnm
pntg
pop
ppm
prw
psdx
pse
psp
ptg
ptx
pvr
px
pxr
q*a
q*p
q*s
qmg
ras
rcu
rgb
rgf
ric
riff
rix
rle
rli
rpf
rri
rs
rsb
rsr
rw
sci
sep
sfc
sfw
skm
sld
sob
spa
spe
sph
spj
spp
srw
jpeg
jpg
vmdk
arc
paq
tbk
bak
tar
th*
h*
rar
a*ip
iso
vcd
bmp
png
gif
tif
tiff
mid
wma
flv
mkv
mov
avi
asf
mpeg
vob
mpg
wmv
fla
swf
wav
(NOTE: * can be any number from 0-9)

It avoids encrypting files with the following strings in their file path:

boot
intel
winnt
appdata
recycle
windows
msocache
perflogs
recovery
tor browser
windows
programdata
sample music
sample videos
program files
local settings
sample pictures
documents and settings
system volume information

It appends the following extension to the file name of the encrypted files:

dyaaghemy

It drops the following file(s) as ransom note:

{Encrypted Directory}\README.txt

SOLUTION

Minimum Scan Engine: 9.850

FIRST VSAPI PATTERN FILE: 14.384.04

FIRST VSAPI PATTERN DATE: 17 Jul 2018

VSAPI OPR PATTERN File: 14.385.00

VSAPI OPR PATTERN Date: 18 Jul 2018

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_USERS\{SID}_CLASSES\mscfile\shell\open\command
- = cmd.exe /c "%SystemRoot%\system32\wbem\wmic shadowcopy delete"

Step 4

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%System Root%\Users\Public\README.txt
{Encrypted directory}\README.txt

Step 5

Restore encrypted files from backup.

Step 6

Scan your computer with your Trend Micro product to delete files detected as RANSOM_MAGNIBER.R. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.

RANSOM_MAGNIBER.R

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

RANSOM_MAGNIBER.R

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific