Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-03-2024 02:06

General

  • Target

    JigsawRansomware.exe

  • Size

    1.1MB

  • MD5

    ac80d4e9b77e93b7a0e71065a14194db

  • SHA1

    49d7bd2d9dad11c569275d90a8901fb5a2927085

  • SHA256

    4643ba163a689a919e621229a55fa854e1d1a8c0ba233fe81deee762692ff43a

  • SHA512

    a4a560fa8c9a02e8ac1584c30e3cb7369b153482319b553de64afff43b955d15150f299ca32c97e61562375eb374c11b3f7b2908ae368f041c168eb4bade8730

  • SSDEEP

    24576:ZmTQcPTAcySiDNpfVkqgfPyU8/oa8reuaDQkqjVnlqud+/2P+A:s70nS4pfVkqgy6r3askqXfd+/9A

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Renames multiple (1482) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

    Filesize

    32KB

    MD5

    aec7bd7c96948d97d13c7df53988e89c

    SHA1

    7b906b88009e7509324ae92dc8a32ae4fb38626c

    SHA256

    15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

    SHA512

    27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

  • C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

    Filesize

    160B

    MD5

    000e8c41d4a15fb34d0be0dbb56e3778

    SHA1

    00c4eae64ee6239d7c65d819c6ce1ac329224f8c

    SHA256

    8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

    SHA512

    775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    404KB

    MD5

    a15acd4e327809e0cb5312e4e2193d61

    SHA1

    056ed67c4904cfde37ff81de19b4e7b21fd9c7bc

    SHA256

    9e6c1047185128bcd0b8a2793bc3feaa7df966c9757053dbbc13fc6f9120fa71

    SHA512

    f384c3840b474af0d27575651a20e8f11c5397a3a1c4d8abbcd839518320fcd0155e24f11b441f6ef0085a564429fd9b1e39f40360c97a30195ef822b0d265a2

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    436KB

    MD5

    e56f96fe88cd06a67201d0db288a0770

    SHA1

    9c2ca5148addc5b099a41c53312e86d6bce698f0

    SHA256

    276330e411a412199199d11cf398ffcc5bba86d11b759ac84e4a42c532951c1b

    SHA512

    0eb83cba01416f21b93ed34095b93c9a9a7860730198dee1f94ad2c94db49e1c51f50c3d5562881e8fb0850f9ebf99a1ba4208ea0cdf888af9f48acfdfc02555

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    441KB

    MD5

    881d38557ec9008929da9be5a959a6ce

    SHA1

    be86d78f6032e9abac3c0355b1228cea4a6f278e

    SHA256

    9909ad015666b93e6139b8f2652dbd991118a40cbe9e91d649dc3199d10882bf

    SHA512

    b3cbd513cbdb7abb47a990fa92a28a0735bb7ee6ba612a69a5cc8b5ac531d3aa7980559466a5d527da3272e1328ccf03ddce1093b178b5d881b59b2b604b1d36

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

    Filesize

    8KB

    MD5

    420960c4b17842a24bbf117222c60e47

    SHA1

    4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

    SHA256

    e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

    SHA512

    b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

  • C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1708528375.txt.fun

    Filesize

    16B

    MD5

    cfdae8214d34112dbee6587664059558

    SHA1

    f649f45d08c46572a9a50476478ddaef7e964353

    SHA256

    33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

    SHA512

    c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

  • memory/2992-0-0x0000026D84430000-0x0000026D8454E000-memory.dmp

    Filesize

    1.1MB

  • memory/2992-15-0x00007FFE7F300000-0x00007FFE7FDC2000-memory.dmp

    Filesize

    10.8MB

  • memory/2992-1-0x00007FFE7F300000-0x00007FFE7FDC2000-memory.dmp

    Filesize

    10.8MB

  • memory/3712-16-0x00007FFE7F300000-0x00007FFE7FDC2000-memory.dmp

    Filesize

    10.8MB

  • memory/3712-17-0x00000251579C0000-0x00000251579D0000-memory.dmp

    Filesize

    64KB

  • memory/3712-457-0x00007FFE7F300000-0x00007FFE7FDC2000-memory.dmp

    Filesize

    10.8MB

  • memory/3712-767-0x00000251579C0000-0x00000251579D0000-memory.dmp

    Filesize

    64KB

  • memory/3712-1502-0x00000251579C0000-0x00000251579D0000-memory.dmp

    Filesize

    64KB

  • memory/3712-1503-0x00000251579C0000-0x00000251579D0000-memory.dmp

    Filesize

    64KB