jigsaw | hxxps://github[.]com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware[.]Jigsaw

Analysis

max time kernel
491s
max time network
1238s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
23-06-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Jigsaw

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\LockReset.tif.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\ResumeMerge.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\RevokeJoin.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\TestInitialize.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\EditRequest.raw.fun	drpbx.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif.fun	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
2232	powershell.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: 33	2860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2860	AUDIODG.EXE
Token: 33	2860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2860	AUDIODG.EXE
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
2216	drpbx.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2028	1740	chrome.exe	27
PID 1740 wrote to memory of 2028	1740	chrome.exe	27
PID 1740 wrote to memory of 2028	1740	chrome.exe	27
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 700	1740	chrome.exe	29
PID 1740 wrote to memory of 1480	1740	chrome.exe	30
PID 1740 wrote to memory of 1480	1740	chrome.exe	30
PID 1740 wrote to memory of 1480	1740	chrome.exe	30
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31
PID 1740 wrote to memory of 1456	1740	chrome.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Jigsaw
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6579758,0x7fef6579768,0x7fef6579778
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:2
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:2
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1192,i,9244499497974452298,11714871263391832070,131072 /prefetch:8
  2⤵
  PID:2496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1648

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3064
- C:\Windows\system32\cmd.exe
  cmd.exe ./jigsaw
  2⤵
  PID:2164

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\jigsaw
  2⤵
  - Modifies registry class
  PID:2412
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\jigsaw
  2⤵
  - Modifies registry class
  PID:2616
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\jigsaw
    3⤵
    PID:2788

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\jigsaw
1⤵
- Modifies registry class
PID:692

C:\Users\Admin\Desktop\jigsaw.exe
"C:\Users\Admin\Desktop\jigsaw.exe"
1⤵
- Adds Run key to start application
PID:2196
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\jigsaw.exe
  2⤵
  - Modifies extensions of user files
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2216

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\Are.docx.fun
1⤵
- Modifies registry class
PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9e9766490d59d0d688d74f6a2c72624f

SHA1
3fcca9495c3c1c32b35b3267e13cc0b33a381e38

SHA256
4344fbf2bdf482fb97d9c68e18f72ef0d2c418baaa7a4abfafac1293af5a81ef

SHA512
e0093a17bf22ffb134b7d76f4b921cb4379dec56f526b63eb6cf8849ff15dc77252eaadfa38fb43acc52b6027c0705ae196fec059d0c7519a3b94e999cdc2c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6e1585.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ec89187f4dc0c8d085d64c6630b4394b

SHA1
a8c1a398d00cda8fa41c43d3391f4ba19928ba8b

SHA256
436cc54af81be3af3f78c418205af9bc72cedf61a7f1d4f1b71614cfd5fe4ab5

SHA512
e27186b4076971f1ac67ae448cc8d7b8c2ceb3ad3690e142064d9bc5255b535c6370b3a0f05ffc51de3bea35ba322d515cc4dbe370fb58077eeef32ee9bd5b1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a6527749d3f2e3d1d1a1f4c02391dc80

SHA1
310d471e5f59362f6cf5d70e37eb051a331cf2ec

SHA256
1d1da0ba2db6acc443be2c84a78def55aba88194c49e41840b83f4b960f6465a

SHA512
7c1edc3a577b8b66b93c7853c9c3b3561c1be7f353e52d5d8bb069f4f056b118297ffa1c8d44434d2edf37a13c128b9f407a25e7457669b292dfd312ad61a876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
471855ddac86decc91a3f4d54e4c6562

SHA1
9d18882479d82630e7b5afcb35d820525c96ea1d

SHA256
e88c8169fd034261d32962a8d6d7923bcb792dc3e7d14517c09cdff6e1549f6a

SHA512
30a3e11cda81c9d46c5a3dfed7833ccb39590a07bd5755ffb97657fece985ccea15af1fef6b522cdea82b831af5db52b48edaa5f44fd8f4384c95dce8a8831f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a78311b70f53d20d929dc778995e3414

SHA1
4dc0ab818af34d5bd1040f11cd033d2285f7e879

SHA256
391ad114997134b76aa584a1ad38a3a89e55ee212f7c0a6bda9e9735fdd184e2

SHA512
709edf684cf8c920fa04d913b8cdc1a7eec3f2ae627315783a50f84a5b84f3a7f0561b3f9b38ac4472e3882f618a2c71f9eea894c7ead3905eba6c9825ea00eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7fce54317ce0657f9cd3cd29b451ed90

SHA1
1393071d88c06ac819c7c75e593e42f0aff1b302

SHA256
d9b80505c0be82d8bcae67ab97a28703f2e750b83e95ea89647aa188743d025c

SHA512
ab13c3230db6667e8dcbb4153fcc9ea821dc889ef775f719d644d4403a4522754d134a7b66d0e1afb914ad050cd34cfe0560cf7547d7ec724abf18ac6140436d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
37d9b3288a378fdee20d2a4c313172ab

SHA1
87799b7b9528cd0ac3d9f2145d3369f3d995c640

SHA256
6dbfffff19aa18ac6e946cb1c2b97f86b6bc906cbc30ee5c20457974349cfec4

SHA512
404329a3f112671de83e9df9ad1e0857511141918b27a800a88ce99e6e33ea4f6d558900115e10a7fb02ea0df1d8777b46b3f35565c89b235cc8f70e0855256e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8b00426fdf43653a8c65fad3e96b034f

SHA1
d69d43eb0e40ddbdf3043ee9f9c32b8d6495bc0e

SHA256
93b7bc234e6d51c42b29f26242bf1f42fe94f193202b433750ddf52dbd9a39d9

SHA512
c6b3a753d0f550be3061fb588bada7bad295e0bc51573e7cef6d48fb05ef77e302288560b422aa98a6a0d8643ec590232c85c0084d77229d83c36aebbe9bee8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fce8086905046c244b76d33cd674cb67

SHA1
b109a0d4706154785ee896484e84039e65d617db

SHA256
9324be8edfd46fb6b0f7c37e864ec62a1b6063391711d2ad9a1da4d14ef75c62

SHA512
7b0a343e1c25a6b9ff55a95d641413f1cc7ce2dc334d602bdd72621ebbae5751506a1d0f52f7bfbdf81a3bf15188e704521db155ccc678f03a1c05d4a390850e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
19f71b2d27fe074f86bf936e4faa7e21

SHA1
7d07b66203182ae00fc536ba7480859d8a1ef316

SHA256
019d5606be6f3b0c72a73f962bc5c1470955e6bf79b0a1baba8aab574262bc7e

SHA512
d85ef1786d725c55c9fe2c8dbbe39abfec8ace0df771ca7b6c0618c1dac1204fe1f475e5d067fd94d3caac40eff27c3fba801ff9dfdb1ec3502e1413f13a6c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c45c3f443ac4952f258353fe7afe8f35

SHA1
09a8bd9e3cca794aafe4014a515c6e89a7dfcfac

SHA256
7a791576de3c2642e891a689ba87ee0634a60caa8d7d475c8bce02dd07ab3a9b

SHA512
a03a335ef098a73208b9e6ac429f16e17c1a517f78f37cce169ee3268418c5177698d586107b6065aef2f8fad321f252375c5a9decd54a91d9b0b59e437a5c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
329e6a2e86f4eca91bfc12052c399a7f

SHA1
8926a0053bf800de59c05f45c29b2768f947a3d6

SHA256
84998a1d55322d5aa244911674b7a6e64426b3dca63fc7de2dabbfc3508da648

SHA512
5021447bc3fc70c8fb5fc455ddafa29859c4ee975caa33c2ba21539acf2159af2624e2b8ef7bc2fcbb601a86bd292b2499361d96d2857e11fae3c4a01d0fd63a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip

Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip

Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
memory/2196-295-0x00000000013B0000-0x0000000001400000-memory.dmp

Filesize
320KB

Download
memory/2196-296-0x0000000000360000-0x0000000000398000-memory.dmp

Filesize
224KB

Download
memory/2216-305-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2216-2306-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2216-304-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2216-2321-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/2216-303-0x00000000013D0000-0x0000000001420000-memory.dmp

Filesize
320KB

Download
memory/2216-2320-0x000000001C280000-0x000000001C2F2000-memory.dmp

Filesize
456KB

Download
memory/2232-256-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2232-249-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2232-248-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2232-247-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2232-250-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2232-246-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/2232-251-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2232-257-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download