jigsaw | abff8ad79e497aeb5787012b0b0b718324e98bff7e703071c9fe75d6e534b6d6

Resubmissions

27-11-2024 13:27

241127-qqdkmsvnhz 10

27-11-2024 09:28

241127-lfrx3atrgr 10

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe
Size

1.5MB
MD5

b8f887a092b6bdcb1bd882e35164d1d7
SHA1

08152f67bf925a7478312d45a67f33116a6097b3
SHA256

2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95
SHA512

057b60f71a84c51d3112e553164d4a476f9488bd1369cec4405975b8cece83fe29d58342bd02ad17542ca1e38254f05dadca027ecbeb281d3b94ff198517dff7
SSDEEP

24576:7zwwr/TK4y3+HaxwUsgdYNLhzEnmfp499VYn6nTtEpR59qUN0i6OtH:78wra+ksgdYNLhYmfpaVYn6nTMR59VSi

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Renames multiple (2021) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2444	drpbx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ro.txt.dc	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.dc	drpbx.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.dc	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.dc	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	drpbx.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.dc	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.dc	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.dc	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip.dc	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.dc	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.dc	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.dc	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml.dc	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.dc	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.dc	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.dc	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.dc	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.dc	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif.dc	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.dc	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip.dc	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2444	2648	2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe	30
PID 2648 wrote to memory of 2444	2648	2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe	30
PID 2648 wrote to memory of 2444	2648	2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe	30

C:\Users\Admin\AppData\Local\Temp\2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe
"C:\Users\Admin\AppData\Local\Temp\2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.dc

Filesize
160B

MD5
000e8c41d4a15fb34d0be0dbb56e3778

SHA1
00c4eae64ee6239d7c65d819c6ce1ac329224f8c

SHA256
8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

SHA512
775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
1.5MB

MD5
b8f887a092b6bdcb1bd882e35164d1d7

SHA1
08152f67bf925a7478312d45a67f33116a6097b3

SHA256
2f41c73046f3b0f5edd79ae089b6b64ec3a0812ea02fe7325b8e5b171a621c95

SHA512
057b60f71a84c51d3112e553164d4a476f9488bd1369cec4405975b8cece83fe29d58342bd02ad17542ca1e38254f05dadca027ecbeb281d3b94ff198517dff7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.dc

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
C:\Users\Admin\AppData\Roaming\System32Work\EncryptedFileList.txt

Filesize
190KB

MD5
39488efdf502ed5b3609b3f21a85020d

SHA1
e9bac9646bc8a6b286e7510bda3e9557f99b2aab

SHA256
7c0047d407614d616ad9c13ac47e5da2001758af23cec607439c5701b20f4422

SHA512
289b83bf8981879e619a046439702fd47228a5467eca086ddae82cb16e426094c9e77025f47995ce809d4cadc544fa370141e255022ffc49916300cb0d349793

Download Submit
C:\Users\Admin\Documents\NewHide.xlsx.dc

Filesize
9KB

MD5
30aa572b185d07a2b4a579f812065134

SHA1
73fbfe228e5fbca6fdc4b18e16c9b5a0ad229abd

SHA256
c32575cdd39a09244624f17667fbce4306474a926c2554be43dada0ecd5953ea

SHA512
b62147d09e78f311c0d9afbfbe32a3ed3de3a40ffd472d069538246e2fc1ddbab7c38a9c95a1006dd701e7c8c8870df8350b8b287260bf9e11106d2e5e1c7505

Download Submit
memory/2444-2047-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-2048-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-13-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-12-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-14-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-2055-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-2053-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-11-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-2043-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-2046-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-1-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-0-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

Filesize
4KB

Download
memory/2648-2-0x000000001B330000-0x000000001B59E000-memory.dmp

Filesize
2.4MB

Download
memory/2648-3-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads