Resubmissions

26-03-2024 00:35

240326-axjggadh31 10

26-03-2024 00:31

240326-at25eadh3s 10

Analysis

  • max time kernel
    90s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-03-2024 00:31

General

  • Target

    JigsawRansomware.exe

  • Size

    1.5MB

  • MD5

    a19bccc7accdbc624e21773e29915021

  • SHA1

    d5ffa92286ab0dfd5d750948880225f11dc0eba3

  • SHA256

    ea864341641de1637aae67886b4803cb1311a76bc661b12048b9dcb099cb0171

  • SHA512

    d85af739631d4dd960c1bf7bc045f53ad3e31a10d4a41facb8664a89b65c9182ac7205ea9466815099d7dc8cedf372496d050c66f15fc3cc92fbc2803efc6db7

  • SSDEEP

    49152:z70nS4pfVkqgy6r3a+kqXfd+/9A9TVanieKd:z7K5JEyUa+kqXf0FoVW

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Renames multiple (1487) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:5024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.kys

    Filesize

    32KB

    MD5

    aec7bd7c96948d97d13c7df53988e89c

    SHA1

    7b906b88009e7509324ae92dc8a32ae4fb38626c

    SHA256

    15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

    SHA512

    27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

  • C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.kys

    Filesize

    160B

    MD5

    000e8c41d4a15fb34d0be0dbb56e3778

    SHA1

    00c4eae64ee6239d7c65d819c6ce1ac329224f8c

    SHA256

    8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

    SHA512

    775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    1.5MB

    MD5

    a19bccc7accdbc624e21773e29915021

    SHA1

    d5ffa92286ab0dfd5d750948880225f11dc0eba3

    SHA256

    ea864341641de1637aae67886b4803cb1311a76bc661b12048b9dcb099cb0171

    SHA512

    d85af739631d4dd960c1bf7bc045f53ad3e31a10d4a41facb8664a89b65c9182ac7205ea9466815099d7dc8cedf372496d050c66f15fc3cc92fbc2803efc6db7

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.kys

    Filesize

    8KB

    MD5

    420960c4b17842a24bbf117222c60e47

    SHA1

    4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

    SHA256

    e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

    SHA512

    b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

  • C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1708528375.txt.kys

    Filesize

    16B

    MD5

    cfdae8214d34112dbee6587664059558

    SHA1

    f649f45d08c46572a9a50476478ddaef7e964353

    SHA256

    33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

    SHA512

    c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

  • memory/4832-0-0x00000242D3070000-0x00000242D3202000-memory.dmp

    Filesize

    1.6MB

  • memory/4832-1-0x00007FFEA6C80000-0x00007FFEA7742000-memory.dmp

    Filesize

    10.8MB

  • memory/4832-15-0x00007FFEA6C80000-0x00007FFEA7742000-memory.dmp

    Filesize

    10.8MB

  • memory/5024-16-0x00007FFEA6C80000-0x00007FFEA7742000-memory.dmp

    Filesize

    10.8MB

  • memory/5024-17-0x000001BC22FD0000-0x000001BC22FE0000-memory.dmp

    Filesize

    64KB

  • memory/5024-463-0x00007FFEA6C80000-0x00007FFEA7742000-memory.dmp

    Filesize

    10.8MB

  • memory/5024-826-0x000001BC22FD0000-0x000001BC22FE0000-memory.dmp

    Filesize

    64KB