jigsaw | 1582d05009d6870bad0d27a017e9b67793de7b65cc27ac126ca075c1516708bf

General

Target

cats.exe
Size

187KB
MD5

d3a0e47edcf938a77670e7a287eac0f2
SHA1

38c92837ca17c17ac9728d90a65a53196ed4fdd2
SHA256

ae3f350f758e1d229c6ec9cf7fb8c201a7e756b5866c05ac20df987a384a049a
SHA512

60962d0309d1cf84570000f883ce818f3f07570a5cad144e19ac4e7d3cbdcb5a0a85bc96e559a69041a4c538959284da01e636bd7df04cce25d8e8894e54f08a

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Executes dropped EXE 1 IoCs

Processes:

Chrome32.exe

pid process

1324 Chrome32.exe

pid	process
1324	Chrome32.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Chrome32.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\RegisterRead.png.cat	Chrome32.exe
File created	C:\Users\Admin\Pictures\MountSwitch.raw.cat	Chrome32.exe
File created	C:\Users\Admin\Pictures\PushRedo.png.cat	Chrome32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cats.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	cats.exe

Drops file in Program Files directory 64 IoCs

Processes:

Chrome32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	Chrome32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	Chrome32.exe
File created	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.cat	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif	Chrome32.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	Chrome32.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.cat	Chrome32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cats.exe

description	pid	process	target process
PID 1832 wrote to memory of 1324	1832	cats.exe	Chrome32.exe
PID 1832 wrote to memory of 1324	1832	cats.exe	Chrome32.exe
PID 1832 wrote to memory of 1324	1832	cats.exe	Chrome32.exe

C:\Users\Admin\AppData\Local\Temp\cats.exe
"C:\Users\Admin\AppData\Local\Temp\cats.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
"C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe" C:\Users\Admin\AppData\Local\Temp\cats.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
MD5
d3a0e47edcf938a77670e7a287eac0f2

SHA1
38c92837ca17c17ac9728d90a65a53196ed4fdd2

SHA256
ae3f350f758e1d229c6ec9cf7fb8c201a7e756b5866c05ac20df987a384a049a

SHA512
60962d0309d1cf84570000f883ce818f3f07570a5cad144e19ac4e7d3cbdcb5a0a85bc96e559a69041a4c538959284da01e636bd7df04cce25d8e8894e54f08a

Download Submit
C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
MD5
d3a0e47edcf938a77670e7a287eac0f2

SHA1
38c92837ca17c17ac9728d90a65a53196ed4fdd2

SHA256
ae3f350f758e1d229c6ec9cf7fb8c201a7e756b5866c05ac20df987a384a049a

SHA512
60962d0309d1cf84570000f883ce818f3f07570a5cad144e19ac4e7d3cbdcb5a0a85bc96e559a69041a4c538959284da01e636bd7df04cce25d8e8894e54f08a

Download Submit
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1324-64-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/1324-65-0x000007FEF2360000-0x000007FEF33F6000-memory.dmp

Filesize
16.6MB

Download
memory/1324-66-0x00000000009FB000-0x0000000000A1A000-memory.dmp

Filesize
124KB

Download
memory/1832-59-0x0000000002000000-0x0000000002002000-memory.dmp

Filesize
8KB

Download
memory/1832-60-0x000007FEF2360000-0x000007FEF33F6000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads