Probably an exceptionally boring subject for my first post, but I hope it helps some other IT people.
We were alerted to a suspicious folder appearing in some users’ default Documents folder, called “angus_dumps”. The only reference we could find online was a question somebody asked in the Apple forums, and we ruled out the Angus/Phobos ransomware when we couldn’t find any IOCs (indicators of compromise).
After some analysis, it just turned out to be a directory that is created when the SMART Mirror app is launched for the first time. It took us a little while to narrow it down, so I just hope this helps someone else.
Just a bit more context: the users were on Windows 10, and the directory was appearing in OneDrive due to known folder sync. The directory always seems to be empty. Correlation between the launch of SMART Mirror and the angus_dumps folder was made using Autopsy on a disk image from one of the affected devices.
Leave a Reply