Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 03:37

General

  • Target

    AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/obj/Release/JigsawRansomware.exe

  • Size

    60KB

  • MD5

    14a2065165fca7f48b20123ea1ca8d2d

  • SHA1

    f6371909e9b9751d3f7539a75ec0f024cd3094bf

  • SHA256

    cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c

  • SHA512

    eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103

  • SSDEEP

    1536:f2Dyv30ZpBzKmGIZUY1sIzYi7D10Py7j:+Dy2pBzbZUYxYID6a

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Renames multiple (2177) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\JigsawRansomware\JigsawRansomware\JigsawRansomware\obj\Release\JigsawRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\JigsawRansomware\JigsawRansomware\JigsawRansomware\obj\Release\JigsawRansomware.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\JigsawRansomware\JigsawRansomware\JigsawRansomware\obj\Release\JigsawRansomware.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

    Filesize

    160B

    MD5

    000e8c41d4a15fb34d0be0dbb56e3778

    SHA1

    00c4eae64ee6239d7c65d819c6ce1ac329224f8c

    SHA256

    8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

    SHA512

    775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    60KB

    MD5

    14a2065165fca7f48b20123ea1ca8d2d

    SHA1

    f6371909e9b9751d3f7539a75ec0f024cd3094bf

    SHA256

    cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c

    SHA512

    eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103

  • C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\JigsawRansomware\JigsawRansomware\packages\Newtonsoft.Json.10.0.3\lib\net45\Newtonsoft.Json.xml.fun

    Filesize

    658KB

    MD5

    e3ab3f6e3dd3856197ef93ab05bc2048

    SHA1

    05a5ebab502ac54af84109bf361cfbab147d4eb4

    SHA256

    89ab2878576875ad4b5f06ef7ee0f76311a86d87a50c17ec2d2e34dbe9c15fa1

    SHA512

    4047bea983fa05ee89257fcfa060fb6ec4c01e33f948a3277792f9f1a643a0f20d9b8c0f2dafd5619d7fd9d8d03f89ba36bcd681a0bb61d3265a388451a4ce5b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.fun

    Filesize

    16B

    MD5

    cfdae8214d34112dbee6587664059558

    SHA1

    f649f45d08c46572a9a50476478ddaef7e964353

    SHA256

    33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

    SHA512

    c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

  • memory/2004-0-0x00000000003E0000-0x00000000003F6000-memory.dmp

    Filesize

    88KB

  • memory/2004-1-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

    Filesize

    9.9MB

  • memory/2004-10-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

    Filesize

    9.9MB

  • memory/2944-8-0x00000000009E0000-0x00000000009F6000-memory.dmp

    Filesize

    88KB

  • memory/2944-9-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

    Filesize

    9.9MB

  • memory/2944-11-0x000000001B020000-0x000000001B0A0000-memory.dmp

    Filesize

    512KB

  • memory/2944-238-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

    Filesize

    9.9MB

  • memory/2944-2197-0x000000001B020000-0x000000001B0A0000-memory.dmp

    Filesize

    512KB