General

  • Target

    3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

  • Size

    2.4MB

  • Sample

    240130-geyxrsbaaq

  • MD5

    c2c5848ec8ae11e84d42521c527f75ca

  • SHA1

    d8d98dff64297d4cf8a227a2c138efc4774942b2

  • SHA256

    3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

  • SHA512

    10e3f210c2d98c090ce3a65be2ff70279c07c1bf3dcb06a48dbfaa34ab6471ed0e8f2a35fbf5bd0c9b61b1c55493c5042daa32556b4b28e22c28e8d80c5d0846

  • SSDEEP

    49152:3rKiRwG7r2ie/XMK+kLg7SdqnCvIUdJi0l2Css5qq2nY4/gX1aNnUm5vL:3RXK+b7ScCvFPx3Kr48UmN

Malware Config

Targets

    • Target

      3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

    • Size

      2.4MB

    • MD5

      c2c5848ec8ae11e84d42521c527f75ca

    • SHA1

      d8d98dff64297d4cf8a227a2c138efc4774942b2

    • SHA256

      3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

    • SHA512

      10e3f210c2d98c090ce3a65be2ff70279c07c1bf3dcb06a48dbfaa34ab6471ed0e8f2a35fbf5bd0c9b61b1c55493c5042daa32556b4b28e22c28e8d80c5d0846

    • SSDEEP

      49152:3rKiRwG7r2ie/XMK+kLg7SdqnCvIUdJi0l2Css5qq2nY4/gX1aNnUm5vL:3RXK+b7ScCvFPx3Kr48UmN

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (2613) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks