Extracted

• • Target

    PanKoza2.0DiscordTokenStealer2024.exe

  • Size

    9.5MB

  • MD5

    6c21e9957b540c1fc5c6c30f991423dd

  • SHA1

    3937d74580a14bb8debd9c763fb1816cb26b881d

  • SHA256

    fd6b4896e31a516c1aceae5d2e82822dc0efdecbcebf882b2875e57ce9e26cb0

  • SHA512

    f4b7825e1cd7267b2bc9e8801c19ae72b76a0269dd0fb144303494882eb68bc4f0e2d8b6766f80252b6acd12090a6b6f0c4bc5e2c089d35a24e0a64de2bda5ba

  • SSDEEP

    196608:weurQ4kCMsjWDqYbcMtnpVGNrzUrTg6aXW/aHIFU7s39:C84keyDFcMtpcqI62WO

  Score

  10^/10

  jigsawdefense_evasiondiscoveryexecutionmacromacro_on_actionpersistenceprivilege_escalationransomwarespywarestealerupxcredential_access

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Renames multiple (115) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Suspicious Office macro

    Office document equipped with macros.

    macro

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks registry for disk virtualization

    Detecting virtualization disks is order done to detect sandboxing environments.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Enumerates processes with tasklist

    discovery

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2