Overview

overview

10

Static

static

3

jigsaw.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-08-2024 17:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jigsaw.exe

  • Size

    283KB

  • MD5

    2773e3dc59472296cb0024ba7715a64e

  • SHA1

    27d99fbca067f478bb91cdbcb92f13a828b00859

  • SHA256

    3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

  • SHA512

    6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

  • SSDEEP

    6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score
10/10
jigsawpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Renames multiple (1504) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
    "C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:4852
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun
      Filesize

      32KB

      MD5

      829165ca0fd145de3c2c8051b321734f

      SHA1

      f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e

      SHA256

      a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356

      SHA512

      7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

      Download Submit

    • C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun
      Filesize

      160B

      MD5

      580ee0344b7da2786da6a433a1e84893

      SHA1

      60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

      SHA256

      98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

      SHA512

      356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      Filesize

      283KB

      MD5

      2773e3dc59472296cb0024ba7715a64e

      SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

      SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

      SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun
      Filesize

      8KB

      MD5

      f22599af9343cac74a6c5412104d748c

      SHA1

      e2ac4c57fa38f9d99f3d38c2f6582b4334331df5

      SHA256

      36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65

      SHA512

      5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1722612663.txt.fun
      Filesize

      16B

      MD5

      8ebcc5ca5ac09a09376801ecdd6f3792

      SHA1

      81187142b138e0245d5d0bc511f7c46c30df3e14

      SHA256

      619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

      SHA512

      cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

      Download Submit

    • memory/860-4-0x000000001BEA0000-0x000000001C36E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/860-5-0x000000001C410000-0x000000001C4AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/860-19-0x00007FFCFBC70000-0x00007FFCFC611000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/860-0-0x00007FFCFBF25000-0x00007FFCFBF26000-memory.dmp

      Filesize

      4KB

      Download

    • memory/860-2-0x00007FFCFBC70000-0x00007FFCFC611000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/860-3-0x00000000013D0000-0x0000000001408000-memory.dmp

      Filesize

      224KB

      Download

    • memory/860-1-0x00007FFCFBC70000-0x00007FFCFC611000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4852-21-0x00007FFCFBC70000-0x00007FFCFC611000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4852-20-0x00007FFCFBC70000-0x00007FFCFC611000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4852-22-0x0000000001800000-0x0000000001808000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4852-180-0x00007FFCFBC70000-0x00007FFCFC611000-memory.dmp

      Filesize

      9.6MB

      Download