Malware Analysis Report

2024-10-18 23:54

Sample ID 220306-dbkzyshha4
Target 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9
SHA256 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9
Tags
jigsaw persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9

Threat Level: Known bad

The file 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9 was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware spyware stealer

Jigsaw Ransomware

Executes dropped EXE

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-06 02:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-06 02:50

Reported

2022-03-06 02:52

Platform

win7-20220223-en

Max time kernel

4294177s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File created C:\Users\Admin\Pictures\ResumeApprove.png.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Users\Admin\Pictures\ResumeDisable.png.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Users\Admin\Pictures\SaveSplit.png.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\lv.txt.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Simple.dotx.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.locked C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe

"C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe

Network

N/A

Files

memory/1684-54-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 17f29268c9f1c5d5bca8b2b66cd1044c
SHA1 16273c67d772dccd1bc9d375b1c9ffa25e83129c
SHA256 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9
SHA512 bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 17f29268c9f1c5d5bca8b2b66cd1044c
SHA1 16273c67d772dccd1bc9d375b1c9ffa25e83129c
SHA256 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9
SHA512 bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db

memory/1684-57-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/1608-59-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/1684-60-0x0000000000B40000-0x0000000000B42000-memory.dmp

memory/1608-58-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp

memory/1684-61-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/1608-62-0x0000000000970000-0x0000000000972000-memory.dmp

memory/1608-63-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/1608-65-0x000000000099A000-0x000000000099B000-memory.dmp

memory/1608-64-0x000000000097B000-0x000000000099A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-06 02:50

Reported

2022-03-06 02:52

Platform

win10v2004-en-20220112

Max time kernel

90s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe

"C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"

C:\Windows\system32\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Country Destination Domain Proto
FR 51.75.129.204:443 tcp
LU 46.226.111.65:9001 tcp
US 72.21.91.29:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.164.114:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 209.197.3.8:80 tcp
KR 106.244.194.50:80 tcp

Files

N/A