General

  • Target

    VirusShare_b1e3b5c1bd78584ce102d10ca4c8dfc5

  • Size

    469KB

  • Sample

    240607-xs95yscc5w

  • MD5

    b1e3b5c1bd78584ce102d10ca4c8dfc5

  • SHA1

    4f2ef55e73a35a31997b5b52302b8b420a028ae6

  • SHA256

    6e5ef96557f4603fecfda52f9963687725f72ab1f805795ebdb091cc67c832a2

  • SHA512

    f7aadd115f4ba3b247bd1cfdf1bd619fddf97ac6ed97fbbb78ebfdb23c4becac00fe85f6dc2592ae6e211071856c3147645a5374fcfc738a230224ed64a12dbf

  • SSDEEP

    6144:qRUaln76uvhnBWDGXtydJ0/F6tkM9FLPv4cHGQQQeiuq9QrVbxOxcXt5ws/:f0n76uvtBRXUJ0/F+D9Ocmpfq41OYDwu

Malware Config

Targets

    • Target

      BitcoinBlackmailer.exe.dis

    • Size

      283KB

    • MD5

      89d6fc6c1a51cef335f7ee2bc2aa60ae

    • SHA1

      3f6e3e5126c837f46a18ee988dbf5756c2b856aa

    • SHA256

      773295583998b76b4e24b562f85fa685577067614133db4a7df3d2a28cb4cc3a

    • SHA512

      ea15149f24cb0e6b5ff5e43b42c0bb71a2d3f47f7068b6b3eba2f64a5a07ceec5f7c0e520d6babc2081f17b777d28847b83f405aa757401aabe5dc3d5ecc31dc

    • SSDEEP

      6144:vUgDn7iOV7n1MDGXhAd705ZSlkTfMLJTOAZiYSXjjeqXus:M2n7iOVb1PX+705ZUkTfMLJTOAZiYSXF

    Score
    1/10
    • Target

      Ransom.Jigsaw.B.exe.dis

    • Size

      283KB

    • MD5

      2773e3dc59472296cb0024ba7715a64e

    • SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

    • SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

    • SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

    • SSDEEP

      6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (2004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks