jigsaw | 61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8

Resubmissions

19-07-2024 15:21

240719-srpqea1dkd 10

09-10-2023 22:49

30-03-2021 09:40

30-03-2021 09:36

29-03-2021 16:32

Analysis

max time kernel
66s
max time network
57s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cats.exe
Size

126KB
MD5

e0d108435c58dc9403588e4dcab68275
SHA1

7a7331423938020550ff3decd2e8b50b3ee5c87a
SHA256

61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8
SHA512

2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e
SSDEEP

3072:7+gYdgLNp0jPilel4+800N1lknzRxqmhda40U6hrnzRxqmhda40U6hK:6gvunnhdaLlrnnhdaLl

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (2027) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
696	Chrome32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	cats.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar	Chrome32.exe
File created	C:\Program Files\7-Zip\readme.txt.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_hyperlink.gif	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.cat	Chrome32.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.cat	Chrome32.exe
File created	C:\Program Files\CompareHide.doc.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif.cat	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.cat	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	Chrome32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
696	Chrome32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 696	2076	cats.exe	30
PID 2076 wrote to memory of 696	2076	cats.exe	30
PID 2076 wrote to memory of 696	2076	cats.exe	30

C:\Users\Admin\AppData\Local\Temp\cats.exe
"C:\Users\Admin\AppData\Local\Temp\cats.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
  "C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe" C:\Users\Admin\AppData\Local\Temp\cats.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:696

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.cat

Filesize
160B

MD5
a8258060e35cd08265a3f658e6aa2963

SHA1
a67c6aeb6db7a488c84810feea22a2d6f7be9bc8

SHA256
e847f277e6adf5f94573c0f1b10ac15efd6ca48f34f9be52e9baec6e1f1de04b

SHA512
70ecf38aa25d92ffff7a24ea35c467c95b9a22dfdc99e0705d56527923cda574add21987ab98ae2b8c589e334141d6957a660a3e34a546c764c3e42069f50d45

Download Submit
C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe

Filesize
126KB

MD5
e0d108435c58dc9403588e4dcab68275

SHA1
7a7331423938020550ff3decd2e8b50b3ee5c87a

SHA256
61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8

SHA512
2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.cat

Filesize
16B

MD5
a2ec71f236b0da26c756b086bd502f09

SHA1
e9dc21e143a2aba3ca9eb634ed291ddf93b32e4b

SHA256
b4805a7f3e187212efacd5c2475bc8a30ce7274f8dae65858537a7f08b866717

SHA512
a1d0f50c760c9bc3ab50053633e2fd3bdca6d0de8f256b48b5c45c8bc20a93a7e2123b09c8ce5de3c9ef013d0f2c3de165d68f7748c89d629122ae6d498e9af3

Download Submit
C:\Users\Admin\AppData\Roaming\System32Work\EncryptedFileList.txt

Filesize
190KB

MD5
469021c9a36263fdab8875291bc9ecbf

SHA1
3e1e3ee99b86f31d611866def9a8d3ac791b53d2

SHA256
fe73711ec90ab032c10f4ff5bd796534f5ada15a20c3bd35e83cd0cfb81ac3d4

SHA512
0dd7c09b7189a42240e3bf13f1b1218eabedc9892bc77f0da1d2f22a8eeb4407f6155686cd6bb946d295dd2af0568b7ec7e628e4df85cccded8495b97a3fbad5

Download Submit
C:\Users\Admin\Documents\SelectTrace.xlsx.cat

Filesize
10KB

MD5
6a9cbce075203c9065775d83343ce699

SHA1
bd1003dcefaf79e47b51d3f37ffd1fb850b20808

SHA256
7a9b7129ac74789a3f1ae90eb3664767739b7b20d1df882ce55fa8d269ee9b38

SHA512
6b169a60bf850bf7d1e50642c8458b30714eba8c3e6ee84aef5ff8e0dfc1b8a2af64f8ca56384c48b797e52ae418c41623ade1e2f5a3e8cb4e52bbe126975bb6

Download Submit
memory/696-11-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-9-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-250-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-251-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-389-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-2049-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-2057-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-2070-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/696-2091-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2076-10-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2076-0-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/2076-6-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2076-4-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads