General
-
Target
Ransomware.Jigsaw.zip
-
Size
239KB
-
Sample
231204-y51ygsfd77
-
MD5
3ad6374a3558149d09d74e6af72344e3
-
SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620
-
SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
-
SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
-
SSDEEP
3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.Jigsaw.zip
Resource
win10v2004-20231127-de
Malware Config
Extracted
C:\Users\Admin\Desktop\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
Ransomware.Jigsaw.zip
-
Size
239KB
-
MD5
3ad6374a3558149d09d74e6af72344e3
-
SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620
-
SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
-
SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
-
SSDEEP
3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (3713) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1