jigsaw | b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

Resubmissions

09-10-2023 22:49

231009-2rx68aba24 10

05-11-2020 14:34

201105-wwra1hx6zn 10

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09-10-2023 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
Size

41KB
MD5

0efb06144ff6e9eb6bdc03fafa5167a7
SHA1

894bc02320d1308462ce004cf06e1bb1841d22c2
SHA256

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3
SHA512

a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96
SSDEEP

768:P/qD8gHkDXmFY26O92PdAIAabphLyUvQX9EmY17cefj:PYtNFY2noyvGp8HmN

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Executes dropped EXE 1 IoCs

pid	Process
1308	AcroRd32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Google (x86)\\Chrome32.exe"	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.v315	AcroRd32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.v315	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx.v315	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.v315	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	AcroRd32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.v315	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.jpg	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif.v315	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.v315	AcroRd32.exe
File opened for modification	C:\Program Files\ExpandStep.dotm	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar	AcroRd32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.v315	AcroRd32.exe
File opened for modification	C:\Program Files\ConvertFromLock.dxf	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.v315	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.v315	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.v315	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.v315	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml.v315	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.v315	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.v315	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.v315	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_LightSpirit.gif.v315	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	AcroRd32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.v315	AcroRd32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.v315	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	AcroRd32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp	AcroRd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx	AcroRd32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	AcroRd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1308	2436	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe	28
PID 2436 wrote to memory of 1308	2436	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe	28
PID 2436 wrote to memory of 1308	2436	b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe	28

C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
"C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe
  "C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe" C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.v315

Filesize
160B

MD5
0886385c883e6319ec019dbdb8315eb6

SHA1
0014ca1ac628640303bd85fe5d0909f7e27e89fd

SHA256
f26915835c298fd96670ec6995b4f47c83339199ebdad9dad29af80158743c0f

SHA512
ec694d0a039a599a245730dc68bde906771eed376bc3d2065a9250c3754ead96a483f8722bc11f4d4001890a6ae791291f1b0e43236b9a1655797c4dabaea830

Download Submit
C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe

Filesize
41KB

MD5
0efb06144ff6e9eb6bdc03fafa5167a7

SHA1
894bc02320d1308462ce004cf06e1bb1841d22c2

SHA256
b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

SHA512
a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

Download Submit
C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe

Filesize
41KB

MD5
0efb06144ff6e9eb6bdc03fafa5167a7

SHA1
894bc02320d1308462ce004cf06e1bb1841d22c2

SHA256
b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

SHA512
a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.v315

Filesize
16B

MD5
b5b7270686c0ed7cc8b209f45a00e057

SHA1
ef125d69d70409dae0f5079eb4ca7de2e02ac748

SHA256
ab1deb20552b9a7708bdfdc03c9b3248e7b97550dfd1044f7cf2e78b5a313f38

SHA512
c3d1acf3653dc891ce5b373cb7080651029dd5f32341c38c674c2ccc6aff0ccc6cc2f5367ee329124338400e13f1c06388c8c428aa09da2d4b9a8c099d3fa1bf

Download Submit
memory/1308-10-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-9-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-34-0x00000000008F0000-0x0000000000970000-memory.dmp

Filesize
512KB

Download
memory/1308-35-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-36-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-2002-0x00000000008F0000-0x0000000000970000-memory.dmp

Filesize
512KB

Download
memory/1308-2005-0x00000000008F0000-0x0000000000970000-memory.dmp

Filesize
512KB

Download
memory/2436-2-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-11-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-8-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-3-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads