jigsaw | 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

Resubmissions

09-10-2023 22:49

231009-2rxwfsgh8z 10

06-03-2021 22:20

210306-e542m4kcwn 10

09-11-2020 19:51

201109-ldpapz7ekx 10

Analysis

max time kernel
11s
max time network
102s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
Size

291KB
MD5

5a5c745bf3e97fe2be01880132662f28
SHA1

924af25d379fc88319bc55958db898dbf5054309
SHA256

0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
SHA512

151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Executes dropped EXE 1 IoCs

pid	Process
2072	drpbx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
File created	C:\Windows\assembly\Desktop.ini	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
Token: SeDebugPrivilege	2072	drpbx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 2072	1020	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe	75
PID 1020 wrote to memory of 2072	1020	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe	75
PID 1020 wrote to memory of 2072	1020	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe	75

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-0-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1020-1-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2072-6-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download