jigsaw | b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

Resubmissions

09-10-2023 22:49

231009-2rx68aba24 10

05-11-2020 14:34

201105-wwra1hx6zn 10

Analysis

max time kernel
250s
max time network
252s
platform
windows10_x64
resource
win10v20201028
submitted
05-11-2020 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
Size

41KB
MD5

0efb06144ff6e9eb6bdc03fafa5167a7
SHA1

894bc02320d1308462ce004cf06e1bb1841d22c2
SHA256

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3
SHA512

a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Executes dropped EXE 1 IoCs

Processes:

AcroRd32.exe

pid	Process
3012	AcroRd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Google (x86)\\Chrome32.exe"	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

description	pid	Process	procid_target
PID 644 wrote to memory of 3012	644	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe	75
PID 644 wrote to memory of 3012	644	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe	75

C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
"C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe
  "C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe" C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
  2⤵
  - Executes dropped EXE
  PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe

MD5
0efb06144ff6e9eb6bdc03fafa5167a7

SHA1
894bc02320d1308462ce004cf06e1bb1841d22c2

SHA256
b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

SHA512
a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

Download Submit
C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe

MD5
0efb06144ff6e9eb6bdc03fafa5167a7

SHA1
894bc02320d1308462ce004cf06e1bb1841d22c2

SHA256
b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

SHA512
a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

Download Submit
memory/644-0-0x00007FFD721D0000-0x00007FFD72B70000-memory.dmp

Filesize
9.6MB

Download
memory/3012-1-0x0000000000000000-mapping.dmp

Download
memory/3012-4-0x00007FFD721D0000-0x00007FFD72B70000-memory.dmp

Filesize
9.6MB

Download