jigsaw | 9580e6c4deba3bd46419a402b6309f77c2ed47ad62299c82ec8578400c2a3a64 | Triage

Sharing

General

Target

64e7c95aefe82efb39185321a6cdd5c4_JaffaCakes118
Size

351KB
Sample

241021-a1jawazbnf
MD5

64e7c95aefe82efb39185321a6cdd5c4
SHA1

f8431cf0a73e4ede5b4b38185d73d8472cfe2ae7
SHA256

9580e6c4deba3bd46419a402b6309f77c2ed47ad62299c82ec8578400c2a3a64
SHA512

4062e13d7b5d0a8cdf15127509265363f234ed242eaaa35251d74d247c662e143f36cda6bd55b4b6e792d30e50a920799a137e375c91e943b812c096a727baf9
SSDEEP

6144:xS6NzGVdSv7S4rWSJ4/2lIVv0IN1FBB122Ve8cEvpFlNscjMTkx3gDRtPvPOXlMY:xRqu7SuWq4/w80GFBPcAvpXMTkx3gVtI

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  64e7c95aefe82efb39185321a6cdd5c4_JaffaCakes118
- Size
  
  351KB
- MD5
  
  64e7c95aefe82efb39185321a6cdd5c4
- SHA1
  
  f8431cf0a73e4ede5b4b38185d73d8472cfe2ae7
- SHA256
  
  9580e6c4deba3bd46419a402b6309f77c2ed47ad62299c82ec8578400c2a3a64
- SHA512
  
  4062e13d7b5d0a8cdf15127509265363f234ed242eaaa35251d74d247c662e143f36cda6bd55b4b6e792d30e50a920799a137e375c91e943b812c096a727baf9
- SSDEEP
  
  6144:xS6NzGVdSv7S4rWSJ4/2lIVv0IN1FBB122Ve8cEvpFlNscjMTkx3gDRtPvPOXlMY:xRqu7SuWq4/w80GFBPcAvpXMTkx3gVtI
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (2004) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

jigsawpersistenceransomwarespywarestealer

behavioral2

jigsawpersistenceransomwarespywarestealer