jigsaw | df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763

Resubmissions

09-10-2023 22:49

231009-2rysragh81 10

01-05-2020 14:11

200501-pez84yzjvx 10

Analysis

max time kernel
35s
max time network
6s
platform
windows7_x64
resource
win7v200430
submitted
01-05-2020 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rBlbqI2.exe
Size

291KB
MD5

2fec9bf50de5395f799b23a1099b10d6
SHA1

6000969e75d7d7a3fa1b908bdb9d5daeb5f2534e
SHA256

df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763
SHA512

5f6885fb1940ee4f84507e2b7929f637d8f264a5c77329aeae31803b772608ea93370177017f90f6f8d8bc9e0b30eb8607ed120d4ead68104fd70feec71a9ab8

Score

10^/10

persistence ransomware jigsaw

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	drpbx.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	rBlbqI2.exe

Jigsaw
Ransomware family first created in 2016. Named based on wallpaper set after infection.
ransomware jigsaw

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	rBlbqI2.exe
Token: SeDebugPrivilege	1500	drpbx.exe

Loads dropped DLL 1 IoCs

pid	Process
824	rBlbqI2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1500	824	rBlbqI2.exe	24
PID 824 wrote to memory of 1500	824	rBlbqI2.exe	24
PID 824 wrote to memory of 1500	824	rBlbqI2.exe	24
PID 824 wrote to memory of 1500	824	rBlbqI2.exe	24

C:\Users\Admin\AppData\Local\Temp\rBlbqI2.exe
"C:\Users\Admin\AppData\Local\Temp\rBlbqI2.exe"
1⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\rBlbqI2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-0-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

Filesize
68KB

Download
memory/1500-8-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download