General

  • Target

    JigsawRansomware.exe

  • Size

    60KB

  • Sample

    240529-s8fh3abf52

  • MD5

    72c2cc3ab874b3cb59bca4724cf0c1e7

  • SHA1

    f57625becb7513623ce1dc4a18f30a8df0c5763b

  • SHA256

    05f42b673ebd0d13220a1ec382ddc830892c5ca3376089dfea0b72d601483d7a

  • SHA512

    f9772b4fc46ae66cdcc110de1f5429f4c5f233373e13b0da839788aff076f29a5a93d16664ab91cb0664227f34d39698e112cff3c5d2db8b5eab1dd9cb6c583a

  • SSDEEP

    768:Y1EW7GeB4uyTbIJgysVnlphLMZwZxeKtYJ8xDTIZUY2QRT/b4I19Yi6WrGgpCe0f:Y1E4Bgyulpzs+IZUY1sIzYi7D10Py7O

Malware Config

Targets

    • Target

      JigsawRansomware.exe

    • Size

      60KB

    • MD5

      72c2cc3ab874b3cb59bca4724cf0c1e7

    • SHA1

      f57625becb7513623ce1dc4a18f30a8df0c5763b

    • SHA256

      05f42b673ebd0d13220a1ec382ddc830892c5ca3376089dfea0b72d601483d7a

    • SHA512

      f9772b4fc46ae66cdcc110de1f5429f4c5f233373e13b0da839788aff076f29a5a93d16664ab91cb0664227f34d39698e112cff3c5d2db8b5eab1dd9cb6c583a

    • SSDEEP

      768:Y1EW7GeB4uyTbIJgysVnlphLMZwZxeKtYJ8xDTIZUY2QRT/b4I19Yi6WrGgpCe0f:Y1E4Bgyulpzs+IZUY1sIzYi7D10Py7O

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (1961) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks