jigsaw | 9dca05d456e7a2f665bc3d92c883574754718441a6075de6d09a918e67ae1035

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yasuo.Paypal.v4.5.5.5.lnk
Size

3KB
MD5

5d6276cdb3f840dc5c5a6c89a42a8d6d
SHA1

c4094dd18d14f214392709a7da2b8d47649298bc
SHA256

2cf631d3527853eaa9d486915707cbe570f82d408c16d84aa530ef38ec594296
SHA512

98a91248ad60fa91633c29fdf72d379f0b80f24b030d704079f2b9a9689e298d0d064bbcc72d6d37e37cb04802e9c3f31bcf8810440b5fa50dc9845a857ba27f

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Renames multiple (2510) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1996	drpbx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Yasuo.Paypal.v4.5.5.5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.gws	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.gws	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif.gws	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.gws	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx.gws	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.gws	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.gws	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.gws	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp.gws	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.gws	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.gws	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.gws	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp.gws	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.gws	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.gws	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.gws	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp.gws	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2600	2756	cmd.exe	32
PID 2756 wrote to memory of 2600	2756	cmd.exe	32
PID 2756 wrote to memory of 2600	2756	cmd.exe	32
PID 2600 wrote to memory of 2548	2600	cmd.exe	33
PID 2600 wrote to memory of 2548	2600	cmd.exe	33
PID 2600 wrote to memory of 2548	2600	cmd.exe	33
PID 2548 wrote to memory of 1996	2548	Yasuo.Paypal.v4.5.5.5.exe	34
PID 2548 wrote to memory of 1996	2548	Yasuo.Paypal.v4.5.5.5.exe	34
PID 2548 wrote to memory of 1996	2548	Yasuo.Paypal.v4.5.5.5.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Yasuo.Paypal.v4.5.5.5.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c "cd files && start Yasuo.Paypal.v4.5.5.5.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\files\Yasuo.Paypal.v4.5.5.5.exe
    Yasuo.Paypal.v4.5.5.5.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\files\Yasuo.Paypal.v4.5.5.5.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.gws

Filesize
160B

MD5
4624905679a8c26eb3cbcf0bea34785e

SHA1
341765659db6ac5dca240a2d559f9767b5ce1252

SHA256
799474c262c09de278cab1562154797551483d7e4cdfad242bdf51df82136e06

SHA512
25abe41f1b7e95c1371c59d15c27850a207a6221e77413ae3cef50b4c49cb98174f2c6da57f0be62658a545840ae5b55f80f2d24a54bc183babe408369cbc907

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.gws

Filesize
12KB

MD5
0642d2d543656090f67737542375d065

SHA1
e3712203384538166b0a6210643839d4225e5fae

SHA256
324f68091cf265d5fa4232d04155acddb152f7472cab54d433d84c62ece3daa8

SHA512
95cf9164922e1b7670d59bc00f2d8a0a9927d97054016c9324bc0121ab964656bb19bebcf6cd020cc6f633d63aa4c3860eea2c1a591142fb3a948235ec22f431

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.gws

Filesize
8KB

MD5
c62616ef21e492ce9e19f3b534f9f787

SHA1
95ba44c7bad9f3c3d64da082db80718438c7f32d

SHA256
5b64a36ad55a43e802597f343ba1dadf70a9a00304d60d20e08f58f94ebb9581

SHA512
bfdfd2c35a77e1c3d81b3448e0d1a0fb1527bb7a9884d179d64b35ca0c97c5b9c76fda8d9fa6dc4332e18e0962e6fa43de3d5266d9df49643c28769b77d285fd

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
436KB

MD5
3bee1d24189d4941f68b96da6e207be4

SHA1
dce911b1c05da965c8733935723b88bc29d12756

SHA256
a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710

SHA512
a40b01c630ff2c4b90a2e1bbf285c5d558193ee0fba79a3210a56408087ca828292269945e3202f65b8eb038a565b1ea8a18d185864ba9dc4073a3633c86ca29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.gws

Filesize
16B

MD5
c3a747554556df614575dc417c3cf9d9

SHA1
2e71688b2013bc93b1c5c01e5fd902a32a62007e

SHA256
da1f992586145a03fec57464a38b8bb928cafd8fa9996386732e83a6de555ed7

SHA512
eb740b56bfc85d2c5be11af614cb413a0f0e055d6d2311d4790d86ad71c59a2ec4f13e09d04a180e3279c22ac320cfa38892bd0f6a5e8e04299ed64b2d514c2d

Download Submit
memory/2548-36-0x000007FEF64FE000-0x000007FEF64FF000-memory.dmp

Filesize
4KB

Download
memory/2548-37-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2548-41-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2548-45-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads