Analysis
-
max time kernel
162s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 04:42
Behavioral task
behavioral1
Sample
Jigsaw2-b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Jigsaw2-b.exe
Resource
win10v2004-20231215-en
General
-
Target
Jigsaw2-b.exe
-
Size
249KB
-
MD5
33862bca1fe73d44277e9ad4f0aa81e1
-
SHA1
e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
-
SHA256
053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
-
SHA512
08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c
-
SSDEEP
6144:VFVg9EpWQxCKDgqLSV2hIq45K4O4xDL1UnhvHNJ7h0W93MPNdLM7G:/VgGD4KNWViIq4pOOPipHlzsQ7
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (257) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation Jigsaw2-b.exe -
Executes dropped EXE 1 IoCs
pid Process 4348 drpbx.exe -
resource yara_rule behavioral2/memory/2240-0-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/files/0x0006000000023210-170.dat upx behavioral2/files/0x0006000000023210-177.dat upx behavioral2/memory/4348-179-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2240-182-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/files/0x0006000000023210-176.dat upx behavioral2/memory/4348-379-0x0000000000400000-0x0000000000454000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" Jigsaw2-b.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini Jigsaw2-b.exe File opened for modification C:\Windows\assembly\Desktop.ini Jigsaw2-b.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\hr.txt.zemblax drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\logo.png drpbx.exe File created C:\Program Files\7-Zip\Lang\be.txt.zemblax drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt drpbx.exe File created C:\Program Files\7-Zip\History.txt.zemblax drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp drpbx.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.zemblax drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\BuildInfo.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\ExpandCompare.xltx drpbx.exe File created C:\Program Files\7-Zip\Lang\fa.txt.zemblax drpbx.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml drpbx.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl_DMP.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WaitUnblock.xlsm drpbx.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml drpbx.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File created C:\Program Files\ConvertToEdit.js.zemblax drpbx.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml drpbx.exe File created C:\Program Files\7-Zip\Lang\ru.txt.zemblax drpbx.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.zemblax drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\ThirdPartyNotices.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt drpbx.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File created C:\Program Files\7-Zip\Lang\ast.txt.zemblax drpbx.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.zemblax drpbx.exe File created C:\Program Files\7-Zip\Lang\sk.txt.zemblax drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt drpbx.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File created C:\Program Files\7-Zip\Lang\et.txt.zemblax drpbx.exe File created C:\Program Files\7-Zip\Lang\lij.txt.zemblax drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File created C:\Program Files\Microsoft Office\AppXManifest.xml.zemblax drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\logo.png drpbx.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly Jigsaw2-b.exe File created C:\Windows\assembly\Desktop.ini Jigsaw2-b.exe File opened for modification C:\Windows\assembly\Desktop.ini Jigsaw2-b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2240 Jigsaw2-b.exe Token: SeDebugPrivilege 4348 drpbx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2240 wrote to memory of 4348 2240 Jigsaw2-b.exe 93 PID 2240 wrote to memory of 4348 2240 Jigsaw2-b.exe 93 PID 2240 wrote to memory of 4348 2240 Jigsaw2-b.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe"C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD5936793267fde60964ee5434543d407f4
SHA1b2ca9d1094b9c20dab23ea0531cac6e68a2384a7
SHA25638c6402357cad141202c4aaa6dcd17f94736d9185c13a2e6d669a9a64cdd68f2
SHA51298e386de3b3f731ba29f3733673263b5e23d15d219ba77107c19a01a73c8ce5c2e9b4c4b74dfb52ea0e2b24bd7410b967a0df0f4d85aadf3505a7562a9111ffc
-
Filesize
118KB
MD548f8fedf8ecfafa672b5469f9d88267b
SHA1939dad736d1fd4f1346d8c8912d1ce19da4074e8
SHA256458478d334ad0084d75c564f5e66fcd2a422e8e473610e062021088c69646019
SHA5124f5c6635645d8f43c56c86d3eadbfc917296f2d739aac1de859edc9f7f5c9bdca39298e30a9cc159bdaefe2c21bad9794614634592ae851305b70243886a9431
-
Filesize
52KB
MD598c68c21b8fcd9dee47a122d964fa5c5
SHA1d982b40a81f84889bddc6a5d509ee39efa33c1b4
SHA25627f691d1760969f7b335418a7398a3c4a3f27ea873c0ee9b7c7888b3d7364fae
SHA512a22b858ecad331a100e3a0e2c6313fe3012ec6f9824aada3df3e76509121b3a0245887e6b330b30dd3e58fc913054800cb0ad37defbfc2e9adf8e2300ee89468