Let's Learn: Deep Dive Into Magniber Ransomware PEB Traversal Function

Goal: Reverse the latest Magniber ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Original infector: a4100b682b2b63374e4ed2fc937d9b96
Decoded payload: f51a5b8ee6a5f25aa293911702a37a34
Background:

  • The ransomware served by Magnitude Exploit Kit (EK), named “Magniber,” specifically targets individuals in the Republic of Korea. Magniber checks that the potential victim’s system default language is Korean (code: 0x0412) via GetSystemDefaultUILanguage he ransomware will terminate. Magniber generates a unique command-and-control (C2) server and ransom note website for each victim, only giving a valid response if the victim’s public IP address is located in South Korea.
#Magniber #Ransomware new variant via #MagnitudeEK with extension “.wmfxdqz”, evolved and is obfuscated now - still targets to South Korea.
Thx! @hasherezade @jeromesegura
MD5: a4100b682b2b63374e4ed2fc937d9b96 pic.twitter.com/b1BultusoG
— Marcelo Rivero (@MarceloRivero) December 13, 2017

Malwarebytes’ @hasherezade and FireEye researchers previously extensively covered some of the Magniber ransomware cryptography and basic functionality. The scope of the blog is to unpack the ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Outline:
I. Unpacking Magniber ransomware
II. Victim ID generation function
III. The PEB traversal function resolving hashes to API
IV. Indicators of compromise
I. Unpacking malware
Extract the first-layer Magniber ransomware payload after it decodes and injects itself via  WriteProcessMemory. This process is rather trivial, and it includes simply dumping the buffer in OllyDbg.
II. Victim ID generation function
The very first function the Magniber ransomware performs right after the “start,” which is the main entry, is the DWORD victim ID generation function iterating from 0-9 in one function and from a-z in another one. The passed argument to the function is 19, which signifies the length of the returned bot ID generation function. It is a pretty interesting way to generate victim IDs leveraging GetTickCount Windows API calls iterating through [0-9a-z] characters until it reaches the count of 19 characters.
The C++ function is as follows:
_WORD *__cdecl generator_19_victim_id_string(int a1)
{
  HANDLE v1; 
  _WORD *v3; 
  int i;

  v1 = GetProcessHeap();
  v3 = HeapAlloc(v1, 8u, 2 * a1 + 2);
  for ( i = 0; i < a1; ++i )
  {
    if ( get_tick_count_func(0, 1) )
      v3[i] = get_tick_count_func(‘0’, ‘9’);
    else
      v3[i] = get_tick_count_func(‘a’, ‘z’);
  }
  v3[a1] = 0;
  return v3;
III. The PEB traversal code resolving hashes to APIs
Here, we observe interesting Magniber ransomware technique for traversing the Process Environment Block (PEB) data. 
PEB is a user-mode data structure that can be used by applications  to get information such as the list of loaded modules, process startup arguments, heap address amongst other useful capabilities. From MSDN more on the PEB structure, read here.
The malware traverses PEB structure to search for module hash match obtaining access to PEB via __readfsdword( 0x30 ) [fs:30h] iterating through loaded modules looking for pFunctionName and matching it with hash via ROTR macro implementing the logic of a rotate right operation.
By and large, this PEB traversal function is used to load hashes and to avoid usual sequence of LoadLibrary and GetProcessAddress API from anti-virus basic detection. In this case, the ransomware resolves all Advapi32 cryptography, registry and Internet API calls.
Notably, this PEB traversal is almost an exact copy of the GitHub code belonging to the project “Position Independent Code Bindshell.”
The function C++ code works as follows:
int __cdecl resolve_api_by_hash(int a1)
{
  int pFunctionName; 
  int v3;
  int v4; 
  int v5; 
  _DWORD *pdwFunctionNameBase;
  int v7;
  int v8;
  unsigned int dwFunctionHash; 
  int dwModuleHash; 
  int v11;
  _BYTE *pTempChar;
  BYTE *pTempChar;
  unsigned int i;
  unsigned int j;

  v7 = *(_DWORD )((_DWORD *)(__readfsdword(0x30) + 0xC) + 0xC);// 0x30 = PEB; 0x0C = InLoadOrderModuleList
  while ( *(_DWORD *)(v7 + 0x18) )             
// while (pDataTableEntry->DllBase != NULL))
  {
    dwModuleHash = 0;                           
    v8 = *(_DWORD *)(v7 + 0x18);                
// pDataTableEntry->DllBase
    v3 = *(_DWORD *)(v7 + 0x2C);                
// pDataTableEntry->BaseDllName
    v4 = *(_DWORD *)(v7 + 0x30);                
// pNTHeader
    v5 = *(_DWORD )((_DWORD *)(v8 + 0x3C) + v8 + 0x78);

/pNTHeader >OptionalHeader.DataDirectory[0].VirtualAddress;dwExportDirRVA
/
    v7 = *(_DWORD *)v7;
    if ( v5 )                                   
// dwExportDirRVA != 0
    {
      for ( i = 0; i < HIWORD(v3); ++i )        
// calculate module hash
      {
        pTempChar = (_BYTE )(i + v4);          // pTempChar
        v11 = (dwModuleHash << 19) | ((unsigned __int64)(unsigned int)dwModuleHash >> 13);
// dwModuleHash = ROTR32( dwModuleHash, 13 )
        if ( (signed int)
(_BYTE *)(i + v4) < ‘a’ )
// if ( *pTempChar >= 0x61 )
          dwModuleHash = v11 + *pTempChar;      
// dwModuleHash += *pTempChar
        else
          dwModuleHash = v11 + *pTempChar - ’ ‘;
// dwModuleHash += *pTempChar - 0x20
      }
      pdwFunctionNameBase = (_DWORD )((_DWORD *)(v5 + v8 + 0x20) + v8);
// pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames)
      for ( j = 0; j < *(DWORD *)(v5 + v8 + 0x18); ++j )// for (i = 0; i < dwNumFunctions; i++)
      {
        dwFunctionHash = 0;
        pFunctionName = v8 + *pdwFunctionNameBase;
// (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase)
        ++pdwFunctionNameBase;
        pTempChar
= (_BYTE *)pFunctionName;
        do
          dwFunctionHash = ((dwFunctionHash << 19) | ((unsigned int64)dwFunctionHash >> 13)) + *pTempChar++;
// dwFunctionHash = ROTR32( dwFunctionHash, 13 )
        while ( *(pTempChar
- 1) );
        if ( dwModuleHash + dwFunctionHash == a1 )
          return *(_DWORD )((_DWORD *)(v5 + v8 + 28) + v8 + 4 * *(_WORD )((_DWORD *)(v5 + v8 + 36) + v8 + 2 * j))
               + v8;
      }
    }
  }
  return 0;

}
The PEB traversal function leveraged 18 times to import and resolve the following hashes to their respective functions as follows:

Function LocationHashResolved API
crypto_func+B0x42131B45CryptAcquireContextW
crypto_func+1B0x56622BD6CryptDestroyHash
crypto_func+2B0x24FFC058CryptImportKey
crypto_func+3B0xCFD1BDA1CryptSetKeyParam
crypto_func+4B0xCFB9BDA1CryptGenKeyParam
extension_match_process+550xED7C652CryptEncrypt
extension_match_process+650xE95AC43CryptDestroyKey
extension_match_process+750x56622BD6CryptReleaseContent
extension_match_process+850x2733D478CryptReleaseContent
http_resolver+960xA829563AInternetOpenW
http_resolver+A60xF12A8777InternetOpenUrlW
http_resolver+B60xB6B67072HttpQueryInfoW
http_resolver+C60xE2899612InternetReadFile
http_resolver+D60xD46E6BD3InternetCloseHandle
shadow_copy+5050x7FEF6E25RegCreateKeyW
shadow_copy+5180xBA2A6615RegSetValueExW
shadow_copy+52B0x31E0C5EDRegCloseKey
start+5260xE33D73B4lstrcpyW
start+5360xEF53E1DFGetSystemDefaultUILanguage
IV. Indicators of Compromise
Default AES_KEY:
rpa7A7464MovZ807

Initialization vector:

fKwJ97sQ63y1D309

The list of the decoded subdomains is as follows:

piruns[.]racing
sawchip[.]life
oneking[.]space
Tor Domain:
r6zhyjiytkramynl[.]onion
The list of whitelisted directories is as follows:
[’:\\documents and settings\\all users\\', ‘:\\documents and settings\\default user\\’, ‘:\\documents and settings\\localservice\\’, ‘:\\documents and settings\\networkservice\\’, ‘\\appdata\\local\\’, ‘\\appdata\\locallow\\’, ‘\\appdata\\roaming\\’, ‘\\local settings\\’, ‘\\public\\music\\sample music\\’, ‘\\public\\pictures\\sample pictures\\’, ‘\\public\\videos\\sample videos\\’, ‘\\tor browser\\’, ‘\\$recycle.bin’, ‘\\$windows.~bt’, ‘\\$windows.~ws’, ‘\\boot’, ‘\\intel’, ‘\\msocache’, ‘\\perflogs’, ‘\\program files (x86)’, ‘\\program files’, ‘\\programdata’, ‘\\recovery’, ‘\\recycled’, ‘\\recycler’, ‘\\system volume information’, ‘\\windows.old’, ‘\\windows10upgrade’, ‘\\windows’, ‘\\winnt’]
Targeted extensions:
[‘doc’, ‘docx’, ‘xls’, ‘xlsx’, ‘ppt’, ‘pptx’, ‘pst’, ‘ost’, ‘msg’, ‘em’, ‘vsd’, ‘vsdx’, ‘csv’, ‘rtf’, ‘123’, ‘wks’, ‘wk1’, ‘pdf’, ‘dwg’, ‘onetoc2’, ‘snt’, ‘docb’, ‘docm’, ‘dot’, ‘dotm’, ‘dotx’, ‘xlsm’, ‘xlsb’, ‘xlw’, ‘xlt’, ‘xlm’, ‘xlc’, ‘xltx’, ‘xltm’, ‘pptm’, ‘pot’, ‘pps’, ‘ppsm’, ‘ppsx’, ‘ppam’, ‘potx’, ‘potm’, ‘edb’, ‘hwp’, ‘602’, ‘sxi’, ‘sti’, ‘sldx’, ‘sldm’, ‘vdi’, ‘vmx’, ‘gpg’, ‘aes’, ‘raw’, ‘cgm’, ‘nef’, ‘psd’, ‘ai’, ‘svg’, ‘djvu’, ‘sh’, ‘class’, ‘jar’, ‘java’, ‘rb’, ‘asp’, ‘php’, ‘jsp’, ‘brd’, ‘sch’, ‘dch’, ‘dip’, ‘p’, ‘vb’, ‘vbs’, ‘ps1’, ‘js’, ‘asm’, ‘h’, ‘pas’, ‘cpp’, ‘c’, ‘cs’, ‘suo’, ‘sln’, ‘ldf’, ‘mdf’, ‘ibd’, ‘myi’, ‘myd’, ‘frm’, ‘odb’, ‘dbf’, ‘db’, ‘mdb’, ‘accdb’, ‘sq’, ‘sqlitedb’, ‘sqlite3’, ‘asc’, ‘lay6’, ‘lay’, ‘mm’, ‘sxm’, ‘otg’, ‘odg’, ‘uop’, ‘std’, ‘sxd’, ‘otp’, ‘odp’, ‘wb2’, ‘slk’, ‘dif’, ‘stc’, ‘sxc’, ‘ots’, ‘ods’, ‘3dm’, ‘max’, ‘3ds’, ‘uot’, ‘stw’, ‘sxw’, ‘ott’, ‘odt’, ‘pem’, ‘p12’, ‘csr’, ‘crt’, ‘key’, ‘pfx’, ‘der’, ‘1cd’, ‘cd’, ‘arw’, ‘jpe’, ‘eq’, ‘adp’, ‘odm’, ‘dbc’, ‘frx’, ‘db2’, ‘dbs’, ‘pds’, ‘pdt’, ‘dt’, ‘cf’, ‘cfu’, ‘mx’, ‘epf’, ‘kdbx’, ‘erf’, ‘vrp’, ‘grs’, ‘geo’, ‘st’, ‘pff’, ‘mft’, ‘efd’, ‘rib’, ‘ma’, ‘lwo’, ‘lws’, ‘m3d’, ‘mb’, ‘obj’, ‘x’, ‘x3d’, ‘c4d’, ‘fbx’, ‘dgn’, ‘4db’, ‘4d’, ‘4mp’, ‘abs’, ‘adn’, ‘a3d’, ‘aft’, ‘ahd’, ‘alf’, ‘ask’, ‘awdb’, ‘azz’, ‘bdb’, ‘bib’, ‘bnd’, ‘bok’, ‘btr’, ‘cdb’, ‘ckp’, ‘clkw’, ‘cma’, ‘crd’, ‘dad’, ‘daf’, ‘db3’, ‘dbk’, ‘dbt’, ‘dbv’, ‘dbx’, ‘dcb’, ‘dct’, ‘dcx’, ‘dd’, ‘df1’, ‘dmo’, ‘dnc’, ‘dp1’, ‘dqy’, ‘dsk’, ‘dsn’, ‘dta’, ‘dtsx’, ‘dx’, ‘eco’, ‘ecx’, ‘emd’, ‘fcd’, ‘fic’, ‘fid’, ‘fi’, ‘fm5’, ‘fo’, ‘fp3’, ‘fp4’, ‘fp5’, ‘fp7’, ‘fpt’, ‘fzb’, ‘fzv’, ‘gdb’, ‘gwi’, ‘hdb’, ‘his’, ‘ib’, ‘idc’, ‘ihx’, ‘itdb’, ‘itw’, ‘jtx’, ‘kdb’, ‘lgc’, ‘maq’, ‘mdn’, ‘mdt’, ‘mrg’, ‘mud’, ‘mwb’, ‘s3m’, ‘ndf’, ‘ns2’, ‘ns3’, ‘ns4’, ‘nsf’, ‘nv2’, ‘nyf’, ‘oce’, ‘oqy’, ‘ora’, ‘orx’, ‘owc’, ‘owg’, ‘oyx’, ‘p96’, ‘p97’, ‘pan’, ‘pdb’, ‘pdm’, ‘phm’, ‘pnz’, ‘pth’, ‘pwa’, ‘qpx’, ‘qry’, ‘qvd’, ‘rctd’, ‘rdb’, ‘rpd’, ‘rsd’, ‘sbf’, ‘sdb’, ‘sdf’, ‘spq’, ‘sqb’, ‘stp’, ‘str’, ‘tcx’, ‘tdt’, ‘te’, ‘tmd’, ‘trm’, ‘udb’, ‘usr’, ‘v12’, ‘vdb’, ‘vpd’, ‘wdb’, ‘wmdb’, ‘xdb’, ‘xld’, ‘xlgc’, ‘zdb’, ‘zdc’, ‘cdr’, ‘cdr3’, ‘abw’, ‘act’, ‘aim’, ‘ans’, ‘apt’, ‘ase’, ‘aty’, ‘awp’, ‘awt’, ‘aww’, ‘bad’, ‘bbs’, ‘bdp’, ‘bdr’, ‘bean’, ‘bna’, ‘boc’, ‘btd’, ‘cnm’, ‘crw’, ‘cyi’, ‘dca’, ‘dgs’, ‘diz’, ‘dne’, ‘docz’, ‘dsv’, ‘dvi’, ‘dx’, ‘eio’, ‘eit’, ‘emlx’, ‘epp’, ‘err’, ‘etf’, ‘etx’, ‘euc’, ‘faq’, ‘fb2’, ‘fb’, ‘fcf’, ‘fdf’, ‘fdr’, ‘fds’, ‘fdt’, ‘fdx’, ‘fdxt’, ‘fes’, ‘fft’, ‘flr’, ‘fodt’, ‘gtp’, ‘frt’, ‘fwdn’, ‘fxc’, ‘gdoc’, ‘gio’, ‘gpn’, ‘gsd’, ‘gthr’, ‘gv’, ‘hbk’, ‘hht’, ‘hs’, ‘htc’, ‘hz’, ‘idx’, ‘ii’, ‘ipf’, ‘jis’, ‘joe’, ‘jp1’, ‘jrtf’, ‘kes’, ‘klg’, ‘knt’, ‘kon’, ‘kwd’, ‘lbt’, ‘lis’, ‘lit’, ‘lnt’, ‘lp2’, ‘lrc’, ‘lst’, ‘ltr’, ‘ltx’, ‘lue’, ‘luf’, ‘lwp’, ‘lyt’, ‘lyx’, ‘man’, ‘map’, ‘mbox’, ‘me’, ‘mel’, ‘min’, ‘mnt’, ‘mwp’, ‘nfo’, ‘njx’, ‘now’, ‘nzb’, ‘ocr’, ‘odo’, ‘of’, ‘oft’, ‘ort’, ‘p7s’, ‘pfs’, ‘pjt’, ‘prt’, ‘psw’, ‘pu’, ‘pvj’, ‘pvm’, ‘pwi’, ‘pwr’, ‘qd’, ‘rad’, ‘rft’, ‘ris’, ‘rng’, ‘rpt’, ‘rst’, ‘rt’, ‘rtd’, ‘rtx’, ‘run’, ‘rzk’, ‘rzn’, ‘saf’, ‘sam’, ‘scc’, ‘scm’, ‘sct’, ‘scw’, ‘sdm’, ‘sdoc’, ‘sdw’, ‘sgm’, ‘sig’, ‘sla’, ‘sls’, ‘smf’, ‘sms’, ‘ssa’, ‘sty’, ‘sub’, ‘sxg’, ‘tab’, ‘tdf’, ‘tex’, ‘text’, ‘thp’, ‘tlb’, ‘tm’, ‘tmv’, ‘tmx’, ‘tpc’, ‘tvj’, ‘u3d’, ‘u3i’, ‘unx’, ‘uof’, ‘upd’, ‘utf8’, ‘utxt’, ‘vct’, ‘vnt’, ‘vw’, ‘wbk’, ‘wcf’, ‘wgz’, ‘wn’, ‘wp’, ‘wp4’, ‘wp5’, ‘wp6’, ‘wp7’, ‘wpa’, ‘wpd’, ‘wp’, ‘wps’, ‘wpt’, ‘wpw’, ‘wri’, ‘wsc’, ‘wsd’, ‘wsh’, ‘wtx’, ‘xd’, ‘xlf’, ‘xps’, ‘xwp’, ‘xy3’, ‘xyp’, ‘xyw’, ‘ybk’, ‘ym’, ‘zabw’, ‘zw’, ‘abm’, ‘afx’, ‘agif’, ‘agp’, ‘aic’, ‘albm’, ‘apd’, ‘apm’, ‘apng’, ‘aps’, ‘apx’, ‘art’, ‘asw’, ‘bay’, ‘bm2’, ‘bmx’, ‘brk’, ‘brn’, ‘brt’, ‘bss’, ‘bti’, ‘c4’, ‘ca’, ‘cals’, ‘can’, ‘cd5’, ‘cdc’, ‘cdg’, ‘cimg’, ‘cin’, ‘cit’, ‘colz’, ‘cpc’, ‘cpd’, ‘cpg’, ‘cps’, ‘cpx’, ‘cr2’, ‘ct’, ‘dc2’, ‘dcr’, ‘dds’, ‘dgt’, ‘dib’, ‘djv’, ‘dm3’, ‘dmi’, ‘vue’, ‘dpx’, ‘wire’, ‘drz’, ‘dt2’, ‘dtw’, ‘dv’, ‘ecw’, ‘eip’, ‘exr’, ‘fa’, ‘fax’, ‘fpos’, ‘fpx’, ‘g3’, ‘gcdp’, ‘gfb’, ‘gfie’, ‘ggr’, ‘gih’, ‘gim’, ‘spr’, ‘scad’, ‘gpd’, ‘gro’, ‘grob’, ‘hdp’, ‘hdr’, ‘hpi’, ‘i3d’, ‘icn’, ‘icon’, ‘icpr’, ‘iiq’, ‘info’, ‘ipx’, ‘itc2’, ‘iwi’, ‘j’, ‘j2c’, ‘j2k’, ‘jas’, ‘jb2’, ‘jbig’, ‘jbmp’, ‘jbr’, ‘jfif’, ‘jia’, ‘jng’, ‘jp2’, ‘jpg2’, ‘jps’, ‘jpx’, ‘jtf’, ‘jw’, ‘jxr’, ‘kdc’, ‘kdi’, ‘kdk’, ‘kic’, ‘kpg’, ‘lbm’, ‘ljp’, ‘mac’, ‘mbm’, ‘mef’, ‘mnr’, ‘mos’, ‘mpf’, ‘mpo’, ‘mrxs’, ‘my’, ‘ncr’, ‘nct’, ‘nlm’, ‘nrw’, ‘oc3’, ‘oc4’, ‘oc5’, ‘oci’, ‘omf’, ‘oplc’, ‘af2’, ‘af3’, ‘asy’, ‘cdmm’, ‘cdmt’, ‘cdmz’, ‘cdt’, ‘cmx’, ‘cnv’, ‘csy’, ‘cv5’, ‘cvg’, ‘cvi’, ‘cvs’, ‘cvx’, ‘cwt’, ‘cxf’, ‘dcs’, ‘ded’, ‘dhs’, ‘dpp’, ‘drw’, ‘dxb’, ‘dxf’, ‘egc’, ‘emf’, ‘ep’, ‘eps’, ‘epsf’, ‘fh10’, ‘fh11’, ‘fh3’, ‘fh4’, ‘fh5’, ‘fh6’, ‘fh7’, ‘fh8’, ‘fif’, ‘fig’, ‘fmv’, ‘ft10’, ‘ft11’, ‘ft7’, ‘ft8’, ‘ft9’, ‘ftn’, ‘fxg’, ‘gem’, ‘glox’, ‘hpg’, ‘hpg’, ‘hp’, ‘idea’, ‘igt’, ‘igx’, ‘imd’, ‘ink’, ‘lmk’, ‘mgcb’, ‘mgmf’, ‘mgmt’, ‘mt9’, ‘mgmx’, ‘mgtx’, ‘mmat’, ‘mat’, ‘ovp’, ‘ovr’, ‘pcs’, ‘pfv’, ‘plt’, ‘vrm’, ‘pobj’, ‘psid’, ‘rd’, ‘scv’, ‘sk1’, ‘sk2’, ‘ssk’, ‘stn’, ‘svf’, ‘svgz’, ‘tlc’, ‘tne’, ‘ufr’, ‘vbr’, ‘vec’, ‘vm’, ‘vsdm’, ‘vstm’, ‘stm’, ‘vstx’, ‘wpg’, ‘vsm’, ‘xar’, ‘ya’, ‘orf’, ‘ota’, ‘oti’, ‘ozb’, ‘ozj’, ‘ozt’, ‘pa’, ‘pano’, ‘pap’, ‘pbm’, ‘pc1’, ‘pc2’, ‘pc3’, ‘pcd’, ‘pdd’, ‘pe4’, ‘pef’, ‘pfi’, ‘pgf’, ‘pgm’, ‘pi1’, ‘pi2’, ‘pi3’, ‘pic’, ‘pict’, ‘pix’, ‘pjpg’, ‘pm’, ‘pmg’, ‘pni’, ‘pnm’, ‘pntg’, ‘pop’, ‘pp4’, ‘pp5’, ‘ppm’, ‘prw’, ‘psdx’, ‘pse’, ‘psp’, ‘ptg’, ‘ptx’, ‘pvr’, ‘px’, ‘pxr’, ‘pz3’, ‘pza’, ‘pzp’, ‘pzs’, ‘z3d’, ‘qmg’, ‘ras’, ‘rcu’, ‘rgb’, ‘rgf’, ‘ric’, ‘riff’, ‘rix’, ‘rle’, ‘rli’, ‘rpf’, ‘rri’, ‘rs’, ‘rsb’, ‘rsr’, ‘rw2’, ‘rw’, ‘s2mv’, ‘sci’, ‘sep’, ‘sfc’, ‘sfw’, ‘skm’, ‘sld’, ‘sob’, ‘spa’, ‘spe’, ‘sph’, ‘spj’, ‘spp’, ‘sr2’, ‘srw’, ‘wallet’, ‘jpeg’, ‘jpg’, ‘vmdk’, ‘arc’, ‘paq’, ‘bz2’, ‘tbk’, ‘bak’, ‘tar’, ‘tgz’, ‘gz’, ‘7z’, ‘rar’, ‘zip’, ‘backup’, ‘iso’, ‘vcd’, ‘bmp’, ‘png’, ‘gif’, ‘tif’, ‘tiff’, ‘m4u’, ‘m3u’, ‘mid’, ‘wma’, ‘flv’, ‘3g2’, ‘mkv’, ‘3gp’, ‘mp4’, ‘mov’, ‘avi’, ‘asf’, ‘mpeg’, ‘vob’, ‘mpg’, ‘wmv’, ‘fla’, ‘swf’, ‘wav’, ‘mp3’]

Article Link: http://www.vkremez.com/2017/12/lets-learn-studying-magniber-ransomware.html