jigsaw | 7934625ee2b46883d287d31cb3d1d0b2eb3a0ac2a59a22d434b16513af3d1b11 | Triage

Sharing

General

Target

52cdf9dc4986a5df3e8b0df4c4d77da6_JaffaCakes118
Size

684KB
Sample

241017-vsye2szapk
MD5

52cdf9dc4986a5df3e8b0df4c4d77da6
SHA1

81309c26783f809f9c98edae4a0730aab1bf5ad6
SHA256

7934625ee2b46883d287d31cb3d1d0b2eb3a0ac2a59a22d434b16513af3d1b11
SHA512

44df0ce2bed5238a1c51419b70f8d45c0ebc7ad7938012e9ff71512f51ae9df501dd67863716b8a8362df1079c472ef86a50cd8bbab648d4613bd663f6ce53b3
SSDEEP

12288:Ixd0h1smbbWC+G/d8ke2Ov71Qoh1PCtCSqBHPuDxcSMa+58tbRC:IxRmbyC+Od8cOvWsZVW

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  52cdf9dc4986a5df3e8b0df4c4d77da6_JaffaCakes118
- Size
  
  684KB
- MD5
  
  52cdf9dc4986a5df3e8b0df4c4d77da6
- SHA1
  
  81309c26783f809f9c98edae4a0730aab1bf5ad6
- SHA256
  
  7934625ee2b46883d287d31cb3d1d0b2eb3a0ac2a59a22d434b16513af3d1b11
- SHA512
  
  44df0ce2bed5238a1c51419b70f8d45c0ebc7ad7938012e9ff71512f51ae9df501dd67863716b8a8362df1079c472ef86a50cd8bbab648d4613bd663f6ce53b3
- SSDEEP
  
  12288:Ixd0h1smbbWC+G/d8ke2Ov71Qoh1PCtCSqBHPuDxcSMa+58tbRC:IxRmbyC+Od8cOvWsZVW
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (2021) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

jigsawpersistenceransomwarespywarestealer

behavioral2

jigsawpersistenceransomwarespywarestealer