Let’s travel together.

Magniber Ransomware Switches To Javascript, Targeting Home Users With Fake


In recent years, “Big Game Hunting” ransomware attacks against enterprises have dominated media headlines because of their high-profile victims and substantial ransom demands. Yet single-client ransomware – a type of ransomware that infects individual computers, rather than fleets of devices – can still cause significant damage to individuals and organizations. In this article, we share our analysis of a ransomware campaign isolated by HP Wolf Security in September 2022 that targeted home users by masquerading as software updates. The campaign spread Magniber, a single-client ransomware family known to demand $2,500 from victims. Notably, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

Campaign Overview

The infection chain starts with a web download from an attacker-controlled website. The user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.

  • Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
  • Security.Database.Upgrade.Win10.0.jse
  • 29229c7696d2d84.jse
  • System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js

Figure 1 – Magniber ransomware isolated by HP Sure Click Enterprise

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

Magniber requires administrator privileges to disable the victim’s ability to recover their data, so the malware uses a User Account Control (UAC) bypass to runs commands without alerting the user. For this to work, however, the logged-in user must be part of the Administrators group. For the encryption task, the malware enumerates files and checks its file extension against a list. If the extension is in the list, the file is encrypted. Finally, the malware places a ransom note in each directory with an encrypted file and shows it to the victim by opening the note in a web browser.


Figure 2 – Magniber infection chain

Campaign Technical Analysis

The attackers behind the campaign used several interesting techniques to circumvent detection and prevention mechanisms, described in more detail below.

Phase 1: JavaScript Loader

As mentioned in the overview, the campaigns start with a JavaScript file compressed in a ZIP archive. We’ve seen both JS and JSE files used. JSE files are encoded JavaScript files. In both cases, the scripts are obfuscated (Figure 3).

Figure 3 – Obfuscated JavaScript

After decoding the script, we see it instantiates several MemoryStream type ActiveXObjects. Next, it decrypts an integer array and writes it into one of the MemoryStreams. Once this is done, the MemoryStream is deserialized, giving us an executable .NET file.

Figure 4 – Deobfuscated JavaScript

At this point we enter the second phase, the .NET phase.

Phase 2: .NET Binary

The .NET binary has a very simple structure since it only contains a few functions and an integer array, similar to the JavaScript file. When run, the code sets the memory protection of the array to “PAGE_EXECUTE_READWRITE” and decodes an array in a similar way to the encoded JavaScript in the previous phase. The decoded array is shellcode which is run using the “EnumUILanguages” function, which takes a pointer to a callback function as its first argument.

Figure 5 – Main function inside .NET binary

Phase 3: Stage 1 Shellcode

The first shellcode stage decrypts a second stage, injects it into another process and finally runs it. To evade detection, both shellcode stages use syscalls instead of calling standard libraries.

Figure 6 – Syscall wrapper inside shellcode

The shellcode contains its own wrapper functions that are responsible for making syscalls. To make a syscall, an identifier is written to the EAX register and then the syscall function corresponding to that identifier is executed. However, these identifiers can vary depending on the operating system version, so the malware must account for this to support multiple versions. Magniber queries the operating system version and, for certain syscalls, runs through a switch-case statement before executing it. One example where this happens is “NtCreateThreadEx”. This syscall is used to create a new thread, in this case in another process, where shellcode is injected.

Figure 7 – Syscall identifiers for NtCreateThreadEx

Figure 7 shows the NtCreateThreadEx identifiers for different version of Windows. The code must use the correct identifier based on the operating system version. Using the Switch-Case statements, it is possible to infer which operating systems the malware supports.

Version Code Name Release Date
17134 Windows 10, Version 1803 April 30, 2018
17763 Windows 10, Version 1809 November 13, 2018
18362 Windows 10, Version 1903 May 21, 2019
18363 Windows 10, Version 1909 November 12, 2019
19041 Windows 10, Version 2004 May 27, 2020
19042 Windows 10, Version 20H2 October 20, 2020
19043 Windows 10, Version 21H1 May 18, 2021
19044 Windows 10, Version 21H2 November 16, 2021
20348 Windows Server 2022, Version 21H2 August 18, 2021
22000 Windows 11, Version 21H2 October 4, 2021
22610 Windows 11 Insider Preview April 29, 2022
22621 Windows 11, Version 22H2 September 20, 2022
25115 Windows 11 Insider Preview May 11, 2022
25145 Windows 11 Insider Preview June 22, 2022
25163 Windows 11 Insider Preview July 20, 2022


Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that end users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

With the help of syscalls, the shellcode injects decrypted shellcode into a new process and executes it, then terminates its own process.

Phase 4: Stage 2 Shellcode

This shellcode now runs in the context of another process, which is why the process chain is interrupted. The purpose of this code can be divided into two parts. The first part deletes shadow copy files and disables backup and recovery features. The second part recursively enumerates all the files on the filesystem and encrypts them based on their file extension. This part of the shellcode also works purely with syscalls and does not use standard libraries.

Phase 4.1:  Delete Shadow Copy Files and Disable Backup and Recovery

To delete the shadow copy files and disable Windows recovery features, Magniber requires administrator privileges, e.g. the user must be in the Administrators group. Most employees in enterprise environments don’t need such privileges, so this is another indication that the attackers behind the campaign intended to target individuals rather than enterprises. However, even if the user is in the Administrators group, the malware must first bypass User Account Control, which allows a process to run with elevated privileges. Magniber uses a UAC bypass that is triggered with the following steps:

  1. The malware creates the registry key:
    1. HKCU\SOFTWARE\Classes\AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\Shell\open\command

In our case, this key is linked from the “ms-settings” key and allows the attacker to specify a shell command.

  1. As a value, the malware sets:
    1. “wscript.exe /B / E:VBScript.Encode ../../Users/Public/hnzpfrdt.tex”


  1. The malware writes an encoded VBScript into this directory containing commands that delete shadow copy files and disable backup and recovery features in Windows.


  1. The malware starts “fodhelper.exe”, a utility for managing optional features in Windows, which then triggers the UAC bypass. This process accesses the newly created registry key and runs the command stored in it, causing the VBScript to execute with elevated privileges and without user confirmation.


If you look at the UAC bypass process tree, it looks like this:

Figure 8 – Process tree executing fodhelper.exe


One way to prevent the “fodhelper.exe” UAC bypass is to increase the UAC security level to “Always notify”, which stops it from working on Windows 10.

The VBScript deletes shadow copy files using Windows Management Instrumentation (WMI), deactivates the Windows recovery feature using the “bcdedit” command, then deletes the system backup using “wbadmin”. This makes it impossible for the user to restore the encrypted files using Windows system tools.

Figure 9 – VBScript that deletes shadow copy files and disables backup and recovery features

Phase 4.2:  Encrypt Files

To decide which files to encrypt, Magniber keeps a list of pseudohashes that each correspond to a different file extension. After enumerating a file, the ransomware generates a pseudohash of the file extension. If the pseudohash is in the list, the file is encrypted. The encrypted file is then renamed with another file extension that is unique to each Magniber sample. The ransomware file extension is identical to the URL path in the ransom note.

Magniber’s file extension hashes are best described as pseudohashes because no standard hash algorithm is used and the calculation causes hash collisions – meaning some files that aren’t in the attacker’s list of file extensions are also encrypted. An implementation of the hashing function in Python looks like this:

def pseudohash(file_ending):
hash = 0
counter = 0
for character in file_ending:
hash += ( ord(b) – 0x60 ) * ( 3 ** ( ( len(file_ending) – counter ) * 3 ) )
counter += 1
return hash

Finally, the ransomware tells the victim about what happened and how they can decrypt their data by dropping an HTML ransom note in every directory that contains an encrypted file. To make sure the user sees the demand, Magniber also opens the note in a web browser.

Figure 10 – Magniber ransom note

How to Protect Yourself

Home users can protect themselves from ransomware campaigns like this one by following this simple advice:

  • Follow the principle of least privilege by only using administrator accounts if you really need to. Many home users have administrator privileges but rarely need them.
  • Download software updates from trusted sources. The campaign depends on tricking people into opening fake software updates. Only download updates from trustworthy sources such as Windows Update and official software vendor websites.
  • Back up your data regularly. Backing up your data will give you peace of mind should the worst happen.


Even though Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage. Home users were the likely target of this malware based on the supported operating system versions and UAC bypass. The attackers used clever techniques to evade protection and detection mechanisms. Most of the infection chain is “fileless”, meaning the malware only resides in memory, reducing the chances of it being detected. Magniber also bypasses detection techniques that rely on user-mode hooks because it uses syscalls instead of standard Windows API libraries. With the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Indicators of Compromise (IOCs)

Reference Magniber JavaScript sample used for our analysis:


Magniber JavaScript files:































































Magniber encrypts files with these extensions:


“1”: [“c”, “h”, “j”, “p”, “x”],


“2”: [“ai”, “ca”, “cd”, “cf”, “cs”, “ct”, “db”, “dd”, “dt”, “dv”, “dx”, “em”, “ep”, “eq”, “fa”, “fb”, “fi”, “fo”, “gv”, “hp”, “hs”, “hz”, “ib”, “ii”, “js”, “jw”, “ma”, “mb”, “me”, “mm”, “mx”, “my”, “of”, “pa”, “pm”, “pu”, “px”, “qd”, “rb”, “rd”, “rs”, “rt”, “rw”, “sh”, “sq”, “st”, “te”, “tm”, “vb”, “vm”, “vw”, “wn”, “wp”, “xd”, “ya”, “ym”, “zw”],


“3”: [“hpi”, “icn”, “idc”, “idx”, “igt”, “igx”, “ihx”, “iiq”, “ocr”, “abm”, “abs”, “abw”, “act”, “adn”, “adp”, “aes”, “aft”, “afx”, “agp”, “ahd”, “aic”, “aim”, “alf”, “ans”, “apd”, “apm”, “aps”, “apt”, “apx”, “art”, “arw”, “asc”, “ase”, “ask”, “asm”, “asp”, “asw”, “asy”, “aty”, “awp”, “awt”, “aww”, “azz”, “bad”, “bay”, “bbs”, “bdb”, “bdp”, “bdr”, “bib”, “bmx”, “bna”, “bnd”, “boc”, “bok”, “brd”, “brk”, “brn”, “brt”, “bss”, “btd”, “bti”, “btr”, “can”, “cdb”, “cdc”, “cdg”, “cdr”, “cdt”, “cfu”, “cgm”, “cin”, “cit”, “ckp”, “cma”, “cmx”, “cnm”, “cnv”, “cpc”, “cpd”, “cpg”, “cpp”, “cps”, “cpx”, “crd”, “crt”, “crw”, “csr”, “csv”, “csy”, “cvg”, “cvi”, “cvs”, “cvx”, “cwt”, “cxf”, “cyi”, “dad”, “daf”, “dbc”, “dbf”, “dbk”, “dbs”, “dbt”, “dbv”, “dbx”, “dca”, “dcb”, “dch”, “dcr”, “dcs”, “dct”, “dcx”, “dds”, “ded”, “der”, “dgn”, “dgs”, “dgt”, “dhs”, “dib”, “dif”, “dip”, “diz”, “djv”, “dmi”, “dmo”, “dnc”, “dne”, “doc”, “dot”, “dpp”, “dpx”, “dqy”, “drw”, “drz”, “dsk”, “dsn”, “dsv”, “dta”, “dtw”, “dvi”, “dwg”, “dxb”, “dxf”, “eco”, “ecw”, “ecx”, “edb”, “efd”, “egc”, “eio”, “eip”, “eit”, “emd”, “emf”, “epf”, “epp”, “eps”, “erf”, “err”, “etf”, “etx”, “euc”, “exr”, “faq”, “fax”, “fbx”, “fcd”, “fcf”, “fdf”, “fdr”, “fds”, “fdt”, “fdx”, “fes”, “fft”, “fic”, “fid”, “fif”, “fig”, “flr”, “fmv”, “fpt”, “fpx”, “frm”, “frt”, “frx”, “ftn”, “fxc”, “fxg”, “fzb”, “fzv”, “gdb”, “gem”, “geo”, “gfb”, “ggr”, “gih”, “gim”, “gio”, “gpd”, “gpg”, “gpn”, “gro”, “grs”, “gsd”, “gtp”, “gwi”, “hbk”, “hdb”, “hdp”, “hdr”, “hht”, “his”, “hpg”, “htc”, “hwp”, “ibd”, “imd”, “ink”, “ipf”, “ipx”, “itw”, “iwi”, “jar”, “jas”, “jbr”, “jia”, “jis”, “jng”, “joe”, “jpe”, “jps”, “jpx”, “jsp”, “jtf”, “jtx”, “jxr”, “kdb”, “kdc”, “kdi”, “kdk”, “kes”, “key”, “kic”, “klg”, “knt”, “kon”, “kpg”, “kwd”, “lay”, “lbm”, “lbt”, “ldf”, “lgc”, “lis”, “lit”, “ljp”, “lmk”, “lnt”, “lrc”, “lst”, “ltr”, “ltx”, “lue”, “luf”, “lwo”, “lwp”, “lws”, “lyt”, “lyx”, “lzf”, “mac”, “man”, “map”, “maq”, “mat”, “max”, “mbm”, “mdb”, “mdf”, “mdn”, “mdt”, “mef”, “mel”, “mft”, “min”, “mnr”, “mnt”, “mos”, “mpf”, “mpo”, “mrg”, “msg”, “mud”, “mwb”, “mwp”, “myd”, “myi”, “ncr”, “nct”, “ndf”, “nef”, “nfo”, “njx”, “nlm”, “now”, “nrw”, “nsf”, “nyf”, “nzb”, “obj”, “oce”, “oci”, “odb”, “odg”, “odm”, “odo”, “odp”, “ods”, “odt”, “oft”, “omf”, “oqy”, “ora”, “orf”, “ort”, “orx”, “ost”, “ota”, “otg”, “oti”, “otp”, “ots”, “ott”, “ovp”, “ovr”, “owc”, “owg”, “oyx”, “ozb”, “ozj”, “ozt”, “pan”, “pap”, “pas”, “pbm”, “pcd”, “pcs”, “pdb”, “pdd”, “pdf”, “pdm”, “pds”, “pdt”, “pef”, “pem”, “pff”, “pfi”, “pfs”, “pfv”, “pfx”, “pgf”, “pgm”, “phm”, “php”, “pic”, “pix”, “pjt”, “plt”, “pmg”, “pni”, “pnm”, “pnz”, “pop”, “pot”, “ppm”, “pps”, “ppt”, “prt”, “prw”, “psd”, “pse”, “psp”, “pst”, “psw”, “ptg”, “pth”, “ptx”, “pvj”, “pvm”, “pvr”, “pwa”, “pwi”, “pwr”, “pxr”, “pza”, “pzp”, “pzs”, “qmg”, “qpx”, “qry”, “qvd”, “rad”, “ras”, “raw”, “rcu”, “rdb”, “rft”, “rgb”, “rgf”, “rib”, “ric”, “ris”, “rix”, “rle”, “rli”, “rng”, “rpd”, “rpf”, “rpt”, “rri”, “rsb”, “rsd”, “rsr”, “rst”, “rtd”, “rtf”, “rtx”, “run”, “rzk”, “rzn”, “saf”, “sam”, “sbf”, “scc”, “sch”, “sci”, “scm”, “sct”, “scv”, “scw”, “sdb”, “sdf”, “sdm”, “sdw”, “sep”, “sfc”, “sfw”, “sgm”, “sig”, “skm”, “sla”, “sld”, “slk”, “sln”, “sls”, “smf”, “sms”, “snt”, “sob”, “spa”, “spe”, “sph”, “spj”, “spp”, “spq”, “spr”, “sqb”, “srw”, “ssa”, “ssk”, “stc”, “std”, “sti”, “stm”, “stn”, “stp”, “str”, “stw”, “sty”, “sub”, “suo”, “svf”, “svg”, “sxc”, “sxd”, “sxg”, “sxi”, “sxm”, “sxw”, “tab”, “tcx”, “tdf”, “tdt”, “tex”, “thp”, “tlb”, “tlc”, “tmd”, “tmv”, “tmx”, “tne”, “tpc”, “trm”, “tvj”, “udb”, “ufr”, “unx”, “uof”, “uop”, “uot”, “upd”, “usr”, “vbr”, “vbs”, “vct”, “vdb”, “vdi”, “vec”, “vmx”, “vnt”, “vpd”, “vrm”, “vrp”, “vsd”, “vsm”, “vue”, “wbk”, “wcf”, “wdb”, “wgz”, “wks”, “wpa”, “wpd”, “wpg”, “wps”, “wpt”, “wpw”, “wri”, “wsc”, “wsd”, “wsh”, “wtx”, “xar”, “xdb”, “xlc”, “xld”, “xlf”, “xlm”, “xls”, “xlt”, “xlw”, “xps”, “xwp”, “xyp”, “xyw”, “ybk”, “zdb”, “zdc”],


“4”: [“agif”, “albm”, “apng”, “awdb”, “bean”, “cals”, “cdmm”, “cdmt”, “cdmz”, “cimg”, “clkw”, “colz”, “djvu”, “docb”, “docm”, “docx”, “docz”, “dotm”, “dotx”, “dtsx”, “emlx”, “epsf”, “fdxt”, “fodt”, “fpos”, “fwdn”, “gcdp”, “gdoc”, “gfie”, “glox”, “grob”, “gthr”, “icon”, “icpr”, “idea”, “info”, “itdb”, “java”, “jbig”, “jbmp”, “jfif”, “jrtf”, “kdbx”, “mbox”, “mgcb”, “mgmf”, “mgmt”, “mgmx”, “mgtx”, “mmat”, “mrxs”, “oplc”, “pano”, “pict”, “pjpg”, “pntg”, “pobj”, “potm”, “potx”, “ppam”, “ppsm”, “ppsx”, “pptm”, “pptx”, “psdx”, “psid”, “rctd”, “riff”, “scad”, “sdoc”, “sldm”, “sldx”, “svgz”, “text”, “utxt”, “vsdm”, “vsdx”, “vstm”, “vstx”, “wire”, “wmdb”, “xlgc”, “xlsb”, “xlsm”, “xlsx”, “xltm”, “xltx”, “zabw”],


“5”: [“accdb”, “class”]



Magniber domains:










Comments are closed.