General

  • Target

    AntivirusDefender-main.zip

  • Size

    89.3MB

  • Sample

    240428-d6re8aff2v

  • MD5

    d557d3b4ec2ccc6b183389b36bcb2f10

  • SHA1

    a8807ccce532ac4944a1a59793de204322acf9b6

  • SHA256

    1786d9bdb752a866bba3beaa27f0b6e635e4c6449bcc32105539551758186492

  • SHA512

    a811cf3a4996de89bfb599d6415f0658293e0ffaefa2b960b3444cacdc50b539c8f8dc9388a41882809976ecd93fc7ca89a8a1474d7a0160ebc7e7e7e2955487

  • SSDEEP

    1572864:4KjLIi6HRu6GHRu63iHOES1EHRu6Dtqytrknx5ateij2KjLIK/i8lKjLIuqs1o0M:xR6H8zH8NuFEH8yvJknuLbur/5o0cT

Malware Config

Targets

    • Target

      AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest3.exe

    • Size

      17KB

    • MD5

      05a9d377f26e6c48b167f64fd802899b

    • SHA1

      90dc58c88d853ea53fcd54410f0cc7c5fd393f05

    • SHA256

      47c889dd63190f07f54b7f3db663a1fb54c1fa981caab5b627885ac92b156337

    • SHA512

      aa728441651b381442f09b7188349f926aec5f5ce57226d620aec7210ec19ba32ad52cf9a75cf71180041b5ee87b0245ad5534e4e738a4d174a1fc5f2a04afb0

    • SSDEEP

      384:mJY0j/DFndX6Fp08lUXDWPO0qfZhnOirYctGrFt:mpX6j030JKYctUP

    Score
    6/10
    • Target

      AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest4.exe

    • Size

      10.1MB

    • MD5

      97f44c7df82adc19ce025cfc8958245c

    • SHA1

      699fb553ea85db7c6c5fc5118ab7a1a0c3b19602

    • SHA256

      0fc9a98ed6bad1f94e0357b6bb833b4eca20bea119abc0cdfa3bb4caeeddcda1

    • SHA512

      e2da423ba4eee8f4e836f5eeed82bfe9cf482a911200f805dcdff20d41901c73b40faf187c66ef2e32f9ec8f6d565c43f38229c026285dd0411d4c1c8c22c27e

    • SSDEEP

      196608:QbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:kMGr4+BAf1qC1caBMWBR

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Renames multiple (2133) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/usbwrite.exe

    • Size

      68KB

    • MD5

      a191357249a9d39778c658d3b6776ece

    • SHA1

      5f0853ebdb80b8e34432587d4ae766eedf20e0b6

    • SHA256

      d8cd2cb4aa91a542029bbddd8675416fbef50a73e8e575309cb2906a122de743

    • SHA512

      be779bfac6149b957cb5a2c379cb2da5a2525453ae4c8cc72c5ccf5c3bb1ea0ac8583973d6cc109d938b61ae7616c4214c354757777b34c3e552f627668afd93

    • SSDEEP

      768:RARnoIPqpAzy2Q7XRmvyVlOZB/ibQWfcAW9:RUBPl+7BmwlOZB/WS

    Score
    1/10
    • Target

      AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/AntivirusDefender.exe

    • Size

      10.6MB

    • MD5

      7acbd34db0aa98d2a0cc3ea8716b12b5

    • SHA1

      842d24df65449d5722b387f0a28cb746cf615e69

    • SHA256

      3bdab09c77fda2c0afe9cafd76202cd33f9a1d7adee9e437a931d2ba366ebf87

    • SHA512

      1f564735bb1596a6ba5d1b6654fc3b90a9707117b048d54a1c54324eea5d634dbcfbdff366ef1d65598507660295008f8434054c3f53412cacf49c55aff208d2

    • SSDEEP

      196608:DbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:bMGr4+BAf1qC1caBMWBR

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/defender.exe

    • Size

      10.6MB

    • MD5

      7acbd34db0aa98d2a0cc3ea8716b12b5

    • SHA1

      842d24df65449d5722b387f0a28cb746cf615e69

    • SHA256

      3bdab09c77fda2c0afe9cafd76202cd33f9a1d7adee9e437a931d2ba366ebf87

    • SHA512

      1f564735bb1596a6ba5d1b6654fc3b90a9707117b048d54a1c54324eea5d634dbcfbdff366ef1d65598507660295008f8434054c3f53412cacf49c55aff208d2

    • SSDEEP

      196608:DbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:bMGr4+BAf1qC1caBMWBR

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      AntivirusDefender-main/AntivirusDefender/AntivirusDefender/obj/Debug/AntivirusDefender.exe

    • Size

      10.6MB

    • MD5

      7acbd34db0aa98d2a0cc3ea8716b12b5

    • SHA1

      842d24df65449d5722b387f0a28cb746cf615e69

    • SHA256

      3bdab09c77fda2c0afe9cafd76202cd33f9a1d7adee9e437a931d2ba366ebf87

    • SHA512

      1f564735bb1596a6ba5d1b6654fc3b90a9707117b048d54a1c54324eea5d634dbcfbdff366ef1d65598507660295008f8434054c3f53412cacf49c55aff208d2

    • SSDEEP

      196608:DbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:bMGr4+BAf1qC1caBMWBR

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      AntivirusDefender-main/AntivirusDefender3.2.bat

    • Size

      164B

    • MD5

      0559cbad4de4ff67440f857255584ac4

    • SHA1

      e75403dfca205ab43117b00e0300ade704fc0bf5

    • SHA256

      3c980efd376b67af91d4088d9bf7aa426eba9181e2c96738888ee148a6a4e141

    • SHA512

      138adf13cd645c38ed5a07bc398057f6ac967e06bffab8ba20c7cedcb3dcffe4402cd5cd988d0388f5ee186209038e452194926fed5d7ad80abff1003c9d1174

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Modifies firewall policy service

    • Modifies security service

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies Installed Components in the registry

    • Registers new Print Monitor

    • Sets file execution options in registry

    • Modifies file permissions

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • Adds Run key to start application

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.exe

    • Size

      60KB

    • MD5

      14a2065165fca7f48b20123ea1ca8d2d

    • SHA1

      f6371909e9b9751d3f7539a75ec0f024cd3094bf

    • SHA256

      cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c

    • SHA512

      eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103

    • SSDEEP

      1536:f2Dyv30ZpBzKmGIZUY1sIzYi7D10Py7j:+Dy2pBzbZUYxYID6a

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (3911) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.vshost.exe

    • Size

      22KB

    • MD5

      da4e23aceac38213052dd9dead13571d

    • SHA1

      66e689243342762dd64f9bab998505d7cc453b6b

    • SHA256

      327983cff9c61c976b1cd64386a40ca18858178a2029ff4ece2c19388d0c61bd

    • SHA512

      7b957cda964a27c2c0b3a5ecf48fe2b01710dea3d01f444c0fa865d1c2bb8a0fb50faca55cb698bfb661de33fbc9d02119029f863905c644db7c013eba4432e6

    • SSDEEP

      384:OfIW5aWMS1q//0GftpBjAE+H3HRN7NslYa0dj:e/A58iCbHJao

    Score
    1/10
    • Target

      AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/obj/Release/JigsawRansomware.exe

    • Size

      60KB

    • MD5

      14a2065165fca7f48b20123ea1ca8d2d

    • SHA1

      f6371909e9b9751d3f7539a75ec0f024cd3094bf

    • SHA256

      cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c

    • SHA512

      eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103

    • SSDEEP

      1536:f2Dyv30ZpBzKmGIZUY1sIzYi7D10Py7j:+Dy2pBzbZUYxYID6a

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (2177) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/bin/Debug/antivirusfalsepositivetest3.exe

    • Size

      17KB

    • MD5

      05a9d377f26e6c48b167f64fd802899b

    • SHA1

      90dc58c88d853ea53fcd54410f0cc7c5fd393f05

    • SHA256

      47c889dd63190f07f54b7f3db663a1fb54c1fa981caab5b627885ac92b156337

    • SHA512

      aa728441651b381442f09b7188349f926aec5f5ce57226d620aec7210ec19ba32ad52cf9a75cf71180041b5ee87b0245ad5534e4e738a4d174a1fc5f2a04afb0

    • SSDEEP

      384:mJY0j/DFndX6Fp08lUXDWPO0qfZhnOirYctGrFt:mpX6j030JKYctUP

    Score
    6/10
    • Target

      AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/obj/Debug/antivirusfalsepositivetest3.exe

    • Size

      17KB

    • MD5

      05a9d377f26e6c48b167f64fd802899b

    • SHA1

      90dc58c88d853ea53fcd54410f0cc7c5fd393f05

    • SHA256

      47c889dd63190f07f54b7f3db663a1fb54c1fa981caab5b627885ac92b156337

    • SHA512

      aa728441651b381442f09b7188349f926aec5f5ce57226d620aec7210ec19ba32ad52cf9a75cf71180041b5ee87b0245ad5534e4e738a4d174a1fc5f2a04afb0

    • SSDEEP

      384:mJY0j/DFndX6Fp08lUXDWPO0qfZhnOirYctGrFt:mpX6j030JKYctUP

    Score
    6/10
    • Target

      AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/JigsawRansomware.exe

    • Size

      60KB

    • MD5

      14a2065165fca7f48b20123ea1ca8d2d

    • SHA1

      f6371909e9b9751d3f7539a75ec0f024cd3094bf

    • SHA256

      cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c

    • SHA512

      eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103

    • SSDEEP

      1536:f2Dyv30ZpBzKmGIZUY1sIzYi7D10Py7j:+Dy2pBzbZUYxYID6a

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (2191) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/blacklotus.exe

    • Size

      2.4MB

    • MD5

      d948d4b6db5d6d6e2e1ba6c0fa4bf008

    • SHA1

      05846d5b1d37ee2d716140de4f4f984cf1e631d1

    • SHA256

      1f43703d2171ab90e98357b6dfdf824417baa191a59419c27fce42cbafdb7ecf

    • SHA512

      fce681b3721eaf87f27b758782095e34665517ea4e0529cf18b32c4d0d5270ec40c8acf296ad2665e60a6e7e0430807f87e01e3a145902c9fea2a3c83100c15d

    • SSDEEP

      49152:AjY216rMHabk161nZDmcQt8O4BY3+lu2OtXED355:k3YdnZDmcQP6YO/OtXEf

    Score
    9/10
    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/c.exe

    • Size

      44KB

    • MD5

      6d1a47574ef7598017c13d64769cccfb

    • SHA1

      1d75bfb18ffc0b820cb36acf8707343fa6679863

    • SHA256

      d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6

    • SHA512

      7e4f90cd9f1c072089d626a51cffb3e89216e2ad5c55ade7b2c2f4f2d8106d5bc2030d2e1f6745cc47bf12180f566c2eb88dc0925f3040eb641e1fb1e6239f13

    • SSDEEP

      768:Z0fwmAwDI2JbYkIV1BJcow0c+/iG+LoxDGP+9JlGxHv0sxonv3TDhfKCd:Z0fwX+JbYkIV3Jcow0c+/iG+0xA8ShoL

    Score
    1/10
    • Target

      AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/f.exe

    • Size

      3.0MB

    • MD5

      4994952020da28bb0aa023d236a6bf3b

    • SHA1

      af807380a745a4bcf937b87a081ef895ee7f15ba

    • SHA256

      bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420

    • SHA512

      88393499d0816c173ea0b983995833e82e1aac1a73554d0b64d959b69dcf943644ab74927ad576bda48bbdace66256900aab33383f5a0546f6dfe21a8dd5662a

    • SSDEEP

      49152:AVKOBfJXA6rO+24f3TJA5RhU6UK4tNg0ZTw3Km8Igr8bvz1L7lOru5/cTomv/xtI:eKOBfKMO+2wTJA5RMaqk3Km8Igr8r1mq

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

persistence
Score
6/10

behavioral2

persistence
Score
6/10

behavioral3

jigsawdiscoveryevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral4

jigsawdiscoveryevasionpersistenceransomwarespywarestealer
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

evasionpersistencetrojan
Score
10/10

behavioral8

evasionpersistencetrojan
Score
10/10

behavioral9

evasionpersistencetrojan
Score
10/10

behavioral10

evasionpersistencetrojan
Score
10/10

behavioral11

evasionpersistencetrojan
Score
10/10

behavioral12

evasionpersistencetrojan
Score
10/10

behavioral13

adwarediscoveryevasionpersistencestealer
Score
10/10

behavioral14

discoverypersistence
Score
8/10

behavioral15

Score
1/10

behavioral16

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral20

jigsawpersistenceransomware
Score
10/10

behavioral21

persistence
Score
6/10

behavioral22

persistence
Score
6/10

behavioral23

persistence
Score
6/10

behavioral24

persistence
Score
6/10

behavioral25

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral26

jigsawpersistenceransomwarespywarestealer
Score
10/10

behavioral27

evasion
Score
9/10

behavioral28

evasion
Score
9/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10