Resubmissions

30-12-2023 23:11

231230-26gg1scea6 10

22-12-2023 04:42

231222-fbzjfsebbr 10

Analysis

  • max time kernel
    162s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 04:42

General

  • Target

    Jigsaw2-b.exe

  • Size

    249KB

  • MD5

    33862bca1fe73d44277e9ad4f0aa81e1

  • SHA1

    e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1

  • SHA256

    053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

  • SHA512

    08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

  • SSDEEP

    6144:VFVg9EpWQxCKDgqLSV2hIq45K4O4xDL1UnhvHNJ7h0W93MPNdLM7G:/VgGD4KNWViIq4pOOPipHlzsQ7

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Renames multiple (257) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe
    "C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    58KB

    MD5

    936793267fde60964ee5434543d407f4

    SHA1

    b2ca9d1094b9c20dab23ea0531cac6e68a2384a7

    SHA256

    38c6402357cad141202c4aaa6dcd17f94736d9185c13a2e6d669a9a64cdd68f2

    SHA512

    98e386de3b3f731ba29f3733673263b5e23d15d219ba77107c19a01a73c8ce5c2e9b4c4b74dfb52ea0e2b24bd7410b967a0df0f4d85aadf3505a7562a9111ffc

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    118KB

    MD5

    48f8fedf8ecfafa672b5469f9d88267b

    SHA1

    939dad736d1fd4f1346d8c8912d1ce19da4074e8

    SHA256

    458478d334ad0084d75c564f5e66fcd2a422e8e473610e062021088c69646019

    SHA512

    4f5c6635645d8f43c56c86d3eadbfc917296f2d739aac1de859edc9f7f5c9bdca39298e30a9cc159bdaefe2c21bad9794614634592ae851305b70243886a9431

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    52KB

    MD5

    98c68c21b8fcd9dee47a122d964fa5c5

    SHA1

    d982b40a81f84889bddc6a5d509ee39efa33c1b4

    SHA256

    27f691d1760969f7b335418a7398a3c4a3f27ea873c0ee9b7c7888b3d7364fae

    SHA512

    a22b858ecad331a100e3a0e2c6313fe3012ec6f9824aada3df3e76509121b3a0245887e6b330b30dd3e58fc913054800cb0ad37defbfc2e9adf8e2300ee89468

  • memory/2240-56-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-7-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-2-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/2240-3-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

  • memory/2240-6-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

  • memory/2240-8-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-165-0x0000000005100000-0x0000000005101000-memory.dmp

    Filesize

    4KB

  • memory/2240-12-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-10-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-22-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-30-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-32-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-34-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-28-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-38-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-40-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-36-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-42-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-52-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-48-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-60-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-64-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-70-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-68-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-66-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-62-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-58-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-0-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/2240-50-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-1-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/2240-54-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-46-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-44-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-26-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-24-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-20-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-18-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-182-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/2240-184-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/2240-16-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/2240-14-0x0000000005040000-0x0000000005074000-memory.dmp

    Filesize

    208KB

  • memory/4348-192-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-379-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/4348-190-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4348-348-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-186-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-181-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-179-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

  • memory/4348-188-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-183-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4348-347-0x00000000025B0000-0x00000000025B1000-memory.dmp

    Filesize

    4KB

  • memory/4348-516-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-515-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-514-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4348-612-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

  • memory/4348-613-0x0000000075020000-0x00000000755D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4348-614-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB