jigsaw | 31823040d8ccb20eab0b8653d01af370a6537017e69ead69f6f7b73d6ef7ac14 | Triage

Sharing

General

Target

4c153eacdfa8807f1c8fd98e5267da4b_JaffaCakes118
Size

2.3MB
Sample

241016-kb5gxs1eng
MD5

4c153eacdfa8807f1c8fd98e5267da4b
SHA1

ce42e2c694ca4737ae68d3c9e333554c55afee27
SHA256

31823040d8ccb20eab0b8653d01af370a6537017e69ead69f6f7b73d6ef7ac14
SHA512

b2352099a41460c5c210774e5e63f85bd3c8898b58a3348444b35f233fdac50d2cedec68b7695a10109c3493f430c1e85fe039352d66756c5f6f9e9b0793d851
SSDEEP

24576:oF0rCLbf5rqziUnd5l1kqo/wvX0muSOcFjiWrO/iK1ubRM24RWCJG6h/ekExcZ4R:q607QiUnx1k4B9iWrTbi2AhDRek1Z4

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  4c153eacdfa8807f1c8fd98e5267da4b_JaffaCakes118
- Size
  
  2.3MB
- MD5
  
  4c153eacdfa8807f1c8fd98e5267da4b
- SHA1
  
  ce42e2c694ca4737ae68d3c9e333554c55afee27
- SHA256
  
  31823040d8ccb20eab0b8653d01af370a6537017e69ead69f6f7b73d6ef7ac14
- SHA512
  
  b2352099a41460c5c210774e5e63f85bd3c8898b58a3348444b35f233fdac50d2cedec68b7695a10109c3493f430c1e85fe039352d66756c5f6f9e9b0793d851
- SSDEEP
  
  24576:oF0rCLbf5rqziUnd5l1kqo/wvX0muSOcFjiWrO/iK1ubRM24RWCJG6h/ekExcZ4R:q607QiUnx1k4B9iWrTbi2AhDRek1Z4
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (2008) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

jigsawpersistenceransomwarespywarestealer

behavioral2

jigsawpersistenceransomwarespywarestealer