General

  • Target

    Ransomware.Jigsaw.zip

  • Size

    239KB

  • Sample

    240817-gm8f6szgrf

  • MD5

    4161238e76dc9ae69c0c96fade43b0bd

  • SHA1

    bf51e618d59253075d33461a353d20018ad177a6

  • SHA256

    bc6c2a22cf086bb9f18e100866c83377a2c8cfb4f3b9cbc0330194d58edde7df

  • SHA512

    2e93a58e3ef51d210ae16e56e745eb60056a86ebfb86b34f15e1d66a86997aa48f6091e4e0829144295cf4ad08f36a0a60c45726ccfaa440fb80217fb18697d7

  • SSDEEP

    3072:B7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk3:B7ym3VNA7w8R5/rxv7O0yng0UtVw5N5

Malware Config

Targets

    • Target

      Ransomware.Jigsaw.exe

    • Size

      283KB

    • MD5

      2773e3dc59472296cb0024ba7715a64e

    • SHA1

      27d99fbca067f478bb91cdbcb92f13a828b00859

    • SHA256

      3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

    • SHA512

      6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

    • SSDEEP

      6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    • Renames multiple (986) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks