jigsaw | 802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/01/2024, 05:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe
Size

78KB
MD5

c5eff77db7eb62c4066247adfcd64797
SHA1

acf5f645a1af2987c8a5398c12d03622feba9d35
SHA256

802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5
SHA512

1610710c081064743dcfc9b7f5cdf42e63c9f78f3f55983c7f00ae6e60124489a5239cafb89375cc8e3d9d7696eeed7bb23f05dcda52644aafee651f69768dbd
SSDEEP

1536:m3l0Bj+w0lplDHFNGlNEQZwS+g+vkjf9Hy+D00m:m3lkCwQplDleNGS+g+kjfEb

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (2014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2664	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.fun	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif.fun	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid_over.gif.fun	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif	drpbx.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2664	2080	802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe	28
PID 2080 wrote to memory of 2664	2080	802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe	28
PID 2080 wrote to memory of 2664	2080	802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe	28

C:\Users\Admin\AppData\Local\Temp\802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe
"C:\Users\Admin\AppData\Local\Temp\802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
000e8c41d4a15fb34d0be0dbb56e3778

SHA1
00c4eae64ee6239d7c65d819c6ce1ac329224f8c

SHA256
8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

SHA512
775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
78KB

MD5
c5eff77db7eb62c4066247adfcd64797

SHA1
acf5f645a1af2987c8a5398c12d03622feba9d35

SHA256
802fef4d4f81c443497362711a7d8611741c30373c96d3229d699f225552a5f5

SHA512
1610710c081064743dcfc9b7f5cdf42e63c9f78f3f55983c7f00ae6e60124489a5239cafb89375cc8e3d9d7696eeed7bb23f05dcda52644aafee651f69768dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.fun

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
memory/2080-2-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-8-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-9-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-3-0x0000000002030000-0x00000000020B0000-memory.dmp

Filesize
512KB

Download
memory/2664-11-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-244-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/2664-245-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-243-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-10-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/2664-2036-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/2664-2039-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.