jigsaw | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f

Target

drpbx.exe
Size

125KB
MD5

7fab69dcc9fbee7ca91bef27dc551f63
SHA1

fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256

6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512

ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

Score

10^/10

Malware Config

Jigsaw
Ransomware family first created in 2016. Named based on wallpaper set after infection.
ransomware jigsaw
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

drpbx.exe

description pid process target process

PID 2536 wrote to memory of 580 2536 drpbx.exe drpbx.exe
PID 2536 wrote to memory of 580 2536 drpbx.exe drpbx.exe
Executes dropped EXE 1 IoCs

Processes:

drpbx.exe

pid process

580 drpbx.exe

description	pid	process	target process
PID 2536 wrote to memory of 580	2536	drpbx.exe	drpbx.exe
PID 2536 wrote to memory of 580	2536	drpbx.exe	drpbx.exe

pid	process
580	drpbx.exe

Drops file in Windows directory 3 IoCs

Processes:

drpbx.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	drpbx.exe
File created	C:\Windows\assembly\Desktop.ini	drpbx.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	drpbx.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

drpbx.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini drpbx.exe
File opened for modification C:\Windows\assembly\Desktop.ini drpbx.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	drpbx.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	drpbx.exe

Adds Run entry to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

drpbx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	drpbx.exe

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe
2⤵
- Executes dropped EXE
PID:580

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact