jigsaw | 61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8

Resubmissions

19-07-2024 15:21

240719-srpqea1dkd 10

09-10-2023 22:49

30-03-2021 09:40

30-03-2021 09:36

29-03-2021 16:32

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09-10-2023 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cats.exe
Size

126KB
MD5

e0d108435c58dc9403588e4dcab68275
SHA1

7a7331423938020550ff3decd2e8b50b3ee5c87a
SHA256

61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8
SHA512

2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e
SSDEEP

3072:7+gYdgLNp0jPilel4+800N1lknzRxqmhda40U6hrnzRxqmhda40U6hK:6gvunnhdaLlrnnhdaLl

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Executes dropped EXE 1 IoCs

pid	Process
2628	Chrome32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	cats.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar	Chrome32.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.cat	Chrome32.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	Chrome32.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	Chrome32.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip.cat	Chrome32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2628	2840	cats.exe	28
PID 2840 wrote to memory of 2628	2840	cats.exe	28
PID 2840 wrote to memory of 2628	2840	cats.exe	28

C:\Users\Admin\AppData\Local\Temp\cats.exe
"C:\Users\Admin\AppData\Local\Temp\cats.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
  "C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe" C:\Users\Admin\AppData\Local\Temp\cats.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.cat

Filesize
160B

MD5
a8258060e35cd08265a3f658e6aa2963

SHA1
a67c6aeb6db7a488c84810feea22a2d6f7be9bc8

SHA256
e847f277e6adf5f94573c0f1b10ac15efd6ca48f34f9be52e9baec6e1f1de04b

SHA512
70ecf38aa25d92ffff7a24ea35c467c95b9a22dfdc99e0705d56527923cda574add21987ab98ae2b8c589e334141d6957a660a3e34a546c764c3e42069f50d45

Download Submit
C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe

Filesize
126KB

MD5
e0d108435c58dc9403588e4dcab68275

SHA1
7a7331423938020550ff3decd2e8b50b3ee5c87a

SHA256
61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8

SHA512
2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e

Download Submit
C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe

Filesize
126KB

MD5
e0d108435c58dc9403588e4dcab68275

SHA1
7a7331423938020550ff3decd2e8b50b3ee5c87a

SHA256
61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8

SHA512
2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.cat

Filesize
16B

MD5
a2ec71f236b0da26c756b086bd502f09

SHA1
e9dc21e143a2aba3ca9eb634ed291ddf93b32e4b

SHA256
b4805a7f3e187212efacd5c2475bc8a30ce7274f8dae65858537a7f08b866717

SHA512
a1d0f50c760c9bc3ab50053633e2fd3bdca6d0de8f256b48b5c45c8bc20a93a7e2123b09c8ce5de3c9ef013d0f2c3de165d68f7748c89d629122ae6d498e9af3

Download Submit
C:\Users\Admin\AppData\Roaming\System32Work\EncryptedFileList.txt

Filesize
183KB

MD5
9170cc26aaae5e760890b59a07cf476a

SHA1
f0057aed9e8e76f0c8f881e5f9e6fe080356f762

SHA256
ffb8093ca0ebc0fe273e464d2c7338fd35f48d36f4a05212716660e54b26c4e8

SHA512
000d0bd066e063545dc189ff9b5b8f97a753d7999007941fa1c0bda281ef2c290351bb0dfb38130ffdd052299c9f913707e8dec4e753fde321eceef029aff73f

Download Submit
memory/2628-8-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-10-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-11-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-12-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2628-1980-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2628-1983-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2840-2-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-9-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-3-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads