jigsaw | d41b5d3d0c6c0e8e9c850eaedf84623f48ba8e72f3867e57b0d94ddaaca738ee | Triage

Sharing

General

Target

4fe313da6d94379f996c31754df8eb30_JaffaCakes118
Size

1.3MB
Sample

241017-av894svhnr
MD5

4fe313da6d94379f996c31754df8eb30
SHA1

ca40233610d40258539da0212a06af29b07c13f6
SHA256

d41b5d3d0c6c0e8e9c850eaedf84623f48ba8e72f3867e57b0d94ddaaca738ee
SHA512

e0d7ee89999f65d5e9be7fdf1379043316d7aaa672aecd4dd205351a6cba267a253a14f6fbcd390d16e322f48bab03134a8dcf11b0c4c58b228de1a33b4ddd4c
SSDEEP

12288:5jX/yn3RHzsmP+agVznWqZa/Cr7/YHWXD09rUw7myAIT2+meAMLNzkB+wE0+p9G8:5rynBHzsmGTGK/YHWX3yAQDAmzxR

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  4fe313da6d94379f996c31754df8eb30_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  4fe313da6d94379f996c31754df8eb30
- SHA1
  
  ca40233610d40258539da0212a06af29b07c13f6
- SHA256
  
  d41b5d3d0c6c0e8e9c850eaedf84623f48ba8e72f3867e57b0d94ddaaca738ee
- SHA512
  
  e0d7ee89999f65d5e9be7fdf1379043316d7aaa672aecd4dd205351a6cba267a253a14f6fbcd390d16e322f48bab03134a8dcf11b0c4c58b228de1a33b4ddd4c
- SSDEEP
  
  12288:5jX/yn3RHzsmP+agVznWqZa/Cr7/YHWXD09rUw7myAIT2+meAMLNzkB+wE0+p9G8:5rynBHzsmGTGK/YHWX3yAQDAmzxR
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (2015) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

jigsawpersistenceransomwarespywarestealer

behavioral2

jigsawpersistenceransomwarespywarestealer