Resubmissions

18-12-2023 08:32

231218-kfrfvshehr 10

05-12-2023 07:30

231205-jb2klaab85 10

04-12-2023 20:22

231204-y51ygsfd77 10

General

  • Target

    Ransomware.Jigsaw.zip

  • Size

    239KB

  • Sample

    231204-y51ygsfd77

  • MD5

    3ad6374a3558149d09d74e6af72344e3

  • SHA1

    e7be9f22578027fc0b6ddb94c09b245ee8ce1620

  • SHA256

    86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

  • SHA512

    21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

  • SSDEEP

    3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      Ransomware.Jigsaw.zip

    • Size

      239KB

    • MD5

      3ad6374a3558149d09d74e6af72344e3

    • SHA1

      e7be9f22578027fc0b6ddb94c09b245ee8ce1620

    • SHA256

      86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

    • SHA512

      21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

    • SSDEEP

      3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (3713) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks