Malware Analysis Report

2024-10-18 23:52

Sample ID 220612-n1jtasaden
Target 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
SHA256 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
Tags
jigsaw persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7

Threat Level: Known bad

The file 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7 was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware

Jigsaw Ransomware

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-12 11:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 11:51

Reported

2022-06-12 16:51

Platform

win7-20220414-en

Max time kernel

112s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe

"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 104.18.115.97:80 icanhazip.com tcp
US 104.18.114.97:80 icanhazip.com tcp

Files

memory/904-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

memory/904-55-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/904-56-0x0000000074230000-0x00000000747DB000-memory.dmp

\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 269de662c8b796f35e614a1aa807d769
SHA1 43f32f0e0d952dba0bc2cb3c0657291f0930ec8a
SHA256 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
SHA512 4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 269de662c8b796f35e614a1aa807d769
SHA1 43f32f0e0d952dba0bc2cb3c0657291f0930ec8a
SHA256 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
SHA512 4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009

memory/2044-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 269de662c8b796f35e614a1aa807d769
SHA1 43f32f0e0d952dba0bc2cb3c0657291f0930ec8a
SHA256 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
SHA512 4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009

memory/904-62-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2044-63-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2044-64-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2044-65-0x0000000074230000-0x00000000747DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 11:51

Reported

2022-06-12 16:51

Platform

win10v2004-20220414-en

Max time kernel

154s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe

"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"

Network

Country Destination Domain Proto
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
IE 52.109.76.31:443 tcp
NL 104.110.191.133:80 tcp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp

Files

memory/2824-130-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/2824-131-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/2824-132-0x0000000074C10000-0x00000000751C1000-memory.dmp